Advanced threat group Sofacy delivers a new malware sample dubbed Cannon in a spear-phishing attack that targets government organizations in North America, Europe and in a former Soviet state.
The group's latest campaign was spotted in late October and early November, and it relied on Word documents that loaded remote templates embedded with a malicious macro code.
One of the files retrieved a new tool that has not been seen in use by the Sofacy actor. The delivery method relies on an uncommon technique that helps avoid analysis in an automated sandbox environment: the macro uses the AutoClose function, which allows Word to delay the complete execution of the bad code until the user closes the document.
According to the analysis from Palo Alto Networks' Unit 42, Cannon functions as a downloader and uses email communication to get instructions from the command and control (C2) server.
Its list of capabilities includes adding persistence and creating a unique system identifier, collecting system details, grabbing snapshots of the desktop. It can also log into a POP3 email account to get access to attachments.
Cannon sends emails via three accounts hosted at a Czech service provider called Seznam. These messages move to email address 'sahro.bella7[at]post.cz', controlled by the adversary, which acts as the C2 point.
Getting the commands is possible by logging into a different account, 'Trala[.]cosh2,' hosted on Seznam.
"The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors," the researchers explain.
It appears that Sofacy, also known by the names Fancy Bear, APT28, Sednit, and Strontium, took advantage of the Lion Air airplane crash to run their attack. One of the weaponized files used had the name 'crash list (Lion Air Boeing 737).docx.'
In a report shared with BleepingComputer, Unit 42 researchers say that capitalizing of a catastrophic event to deploy a spear-phishing campaign is unusual to this particular group.
Because it relies on remote templates, Sofacy's success with this endeavor depends on the availability of the C2 server. If the server is not online when the macro executes, no harm is done.