A hacking group is using updated cyber-attacks as part of a campaign targeting a European government, in what's thought to be a continued attempt to conduct espionage and surveillance.
The latest campaign by the Fancy Bear group -- also known as Sofacy and APT28, and believed to be linked to the Kremlin -- has been uncovered by researchers at security company Palo Alto Networks.
The researchers observed the campaign taking place on March 12, and then again on March 14. In these attacks, the Sofacy group employs an updated version of DealersChoice, a platform that exploits a Flash vulnerability to stealthily deliver a malicious payload of trojan malware. The updated incarnation of DealersChoice contains a new evasion technique which researchers say hasn't been observed before: the Flash object only loads when a specific page of the malicious document used to deliver the attack is viewed.
Attacks against the European government organisation -- researchers haven't specified which country the target is in -- start with spear-phishing emails with the subject of 'Defence & Security 2018 Conference Agenda'. The emails contain a Word document, titled 'Defence & Security 2018 Conference Agenda.docx'.
Researchers note that the attackers have copied an agenda directly from a real conference taking place in the UK next week. It's likely to have been selected to appeal to specially chosen individuals within the target government.
If the user opens the Microsoft Word attachment, the Flash object -- which contains an action script that attempts to install the malicious payload -- will only run if someone scrolls down to the third page of the document.
While this might seem to be a risky approach for the attackers -- even if the user opens the document, they may not scroll through -- researchers say it demonstrates how the attackers specially tailor the lures to be interesting for specific targets.
"This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it," said Robert Falcone, threat intelligence analyst at Unit 42.
Researchers say the reason the malicious Flash object doesn't run until the user reaches the third page is because the DealersChoice loader SWF isn't activated until it appears onscreen -- a tactic which aids the malicious payload avoid detection. It exists in the form of a tiny Flash object which word displays as a small black dot -- something which users may not give much thought to.
Once activated, this Flash object needs to contact an active C2 server to download an additional Flash object which containing further exploit code. Following that, the object will contact the same C2 sever for additional code.
If previous Russian hacking campaigns are anything to go by, the ultimate goal of the attack is to stealthily compromise the system and allow attackers to conduct surveillance and espionage.
The attack working relies on the victim running a vulnerable version of Flash, which serves as a reminder to organisations that they should ensure systems are patched as soon as possible to avoid compromise. In this instance, a patch to close the Flash security holes has been available for months.
Unit 42 has linked this campaign to Sofacy because of clues in the delivery document. The lure is listed as last modified by a user named 'Nick Daemoji', which has been the case in previous Sofacy/Fancy Bear campaigns.
The distribution tactics are also similar to other campaigns by Sofacy, which have previously lured victims through documents relating to security and defence conferences.
