Visibly functioning since at least the mid-2000s, the Sednit group (aka APT28/ Sofacy /Fancy Bear /Pawn Storm) has been the purported source of numerous attacks on high-value and highly sensitive targets. Attacks against the French and German Election Processes as well as campaign(s) against the U.S. Government highlight just a few of their recently attributed efforts.
CERT-EU (Computer Emergency Response Team for the EU Institutions) recently reported on a campaign which, again, illustrates this group’s capability. This most recent example is targeted directly at the information security community/ industry.
The spear-phishing campaign directly targets attendees of the 2017 International Conference on Cyber Conflict U.S. conference (CyCon U.S.). This is a NATO-organized conference scheduled to occur in Washington D.C between the 7th and 8th of November 2017.
Watch CylancePROTECT® guard against recent malware used by APT28:
VIDEO: CylancePROTECT vs. APT28’s VBA Malware
The phishing campaign was launched early-to-mid October and included a weaponized Microsoft Word document (ex: Conference_onCyber_Conflict.doc).
Multiple versions of the decoy/lure documents have been identified in the wild.
Malicious documents with functional VBA/ Macro components contain the following code:
The VBA code is designed to generate and drop additional components. Functionality-wise this is very straightforward in that there are no fancy zero-day exploits or other tricks occurring. The code simply serves to drop and execute up to 3 additional files (dropper and payloads). The first of which is netwf.dat (522fd9b35323af55113455d823571f71332e53dde988c2eb41395cf6b0c15805). This is followed by a payload, and a batch file used to execute said payload.
Payload DLL – netwf.dll (ef027405492bc0719437eb58c3d2774cc87845f30c40040bbebbcc09a4e3dd18)
Batch file – netwf.bat (cca2b02bec26939c4f6444201bf84e259448c15410ecb17ab9fce3b37f94ae78)
The contents of netwf.bat can be seen below:
As per the VBA script, all dropped files are located in %LOCALAPPDATA%.
The Seduploader payload (Read more...)
This is a Security Bloggers Network syndicated blog post authored by The Cylance Team. Read the original post at: Cylance Blog