The notorious Russian cyberespionage group known as APT28, Fancy Bear and Sofacy is targeting government organizations using a new Trojan program called Cannon.
Researchers from Palo Alto Networks detected new spear-phishing campaigns from APT28 at the end of October and in early November that targeted organizations from North America, Europe and a former USSR state.
Some of the malicious documents distributed in the campaigns installed the Zebrocy Trojan, a well-known malware program associated with APT28. However, some other documents deployed a new, never-before-seen Trojan that researchers have dubbed Cannon.
“Cannon has not been previously observed in use by the Sofacy group and contains a novel email-based C2 communication channel,” the Palo Alto researchers said in a blog post. “Email as a C2 channel is not a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS. Using email as a C2 channel may also decrease the chance of detection, as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises.”
The attackers used Lion Air Boeing 737 in the name of the malicious files, an attempt to take advantage of users’ interest in a recent plane crash. The documents contained malicious macros, which is a common malware distribution technique. However, they came with an interesting anti-analysis technique that only triggered the payload when the document was intentionally closed.
The Cannon Trojan is written in C# and stores its malicious code in a namespace called cannon, hence its name. The attackers use it to gather system information, take screenshots and deliver additional malware, if the machine proves interesting to them.
However, the interesting part is that it sends the collected information out to various email addresses over SMTPS (Simple Mail Transport Protocol Secure) and then uses the POP3S protocol to access two email accounts in order to receive instructions and additional payloads stored as attachments.
“This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider,” the researchers said. “Add the layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block.”
APT28 is not the most sophisticated cyberespionage group of Russian origin, but it’s the most well-known one because of its involvement in many high-profile attacks. These include the theft and leak of documents from the U.S. Democratic National Committee in 2016 and the theft and leak of emails from the International Olympic Committee in 2018.
Earlier this year, the U.S. Department of Justice indicted 12 officers of the Russian military intelligence agency (GRU) for interfering in the 2016 U.S. presidential elections. That indictment attributes the X-Agent malware, APT28’s main tool, to the GRU, effectively linking the hacker group to the Russian government.
Over the years, APT28 has shown a great ability to innovate, both in tactics and toolset. For example, researchers recently found evidence that APT28 modified and abused a laptop anti-theft technology called Absolute LoJack (previously Computrace) to deploy a low-level UEFI backdoor.
North Korea’s Lazarus Group Hits Latin America
Lazarus Group, an APT actor with suspected ties to the North Korean government, has recently been infecting financial institutions from Latin America, according to antivirus vendor Trend Micro.
Lazarus, also known as Hidden Cobra in the security industry, is known for destructive data-wiping attacks, including the 2014 attack on Sony Pictures. In recent years, the group has focused on financial attacks, stealing tens of millions of dollars from central banks and cryptocurrency exchanges.
In October, the US-CERT issued an alert about a years-long campaign by Lazarus to infect servers that process ATM transactions, especially in Asia and Africa, and steal money from cash machines.
Researchers from Trend Micro have now detected a Lazarus-made backdoor detected as BKDR_BINLODR.ZNFJ-A on several machines inside financial institutions across Latin America.
“We determined that these backdoors were installed on the targets’ machines on September 19 2018, based mainly on the service creation time of the loader component,” the researchers said in a technical report. “We also saw that the attack technique bears some resemblance to a previous 2017 Lazarus attack, analyzed by BAE Systems, against targets in Asia.”