Cylance vs. APT28’s VBA Malware

Visibly functioning since at least the mid-2000s, the Sednit group (aka APT28/ Sofacy /Fancy Bear /Pawn Storm) has been the purported source of numerous attacks on high-value and highly sensitive targets. Attacks against the French and German Election Processes as well as campaign(s) against the U.S. Government highlight just a few of their recently attributed efforts.

CERT-EU (Computer Emergency Response Team for the EU Institutions) recently reported on a campaign which, again, illustrates this group’s capability. This most recent example is targeted directly at the information security community/ industry.

The spear-phishing campaign directly targets attendees of the 2017 International Conference on Cyber Conflict U.S. conference (CyCon U.S.). This is a NATO-organized conference scheduled to occur in Washington D.C between the 7th and 8th of November 2017.

Watch CylancePROTECT® guard against recent malware used by APT28:

VIDEO: CylancePROTECT vs. APT28’s VBA Malware

The phishing campaign was launched early-to-mid October and included a weaponized Microsoft Word document (ex: Conference_onCyber_Conflict.doc).

Multiple versions of the decoy/lure documents have been identified in the wild.

c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f    [1]e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae

Malicious documents with functional VBA/ Macro components contain the following code:

The VBA code is designed to generate and drop additional components. Functionality-wise this is very straightforward in that there are no fancy zero-day exploits or other tricks occurring. The code simply serves to drop and execute up to 3 additional files (dropper and payloads). The first of which is netwf.dat (522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805). This is followed by a payload, and a batch file used to execute said payload.

Payload DLL – netwf.dll (ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18)
Batch file – netwf.bat (cca2b02bec26939c4f6444201bf84e259448c15410ecb17ab9fce3b37f94ae78)

The contents of netwf.bat can be seen below:

As per the VBA script, all dropped files are located in %LOCALAPPDATA%.

The Seduploader payload (Read more...)

This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog