SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
19 Mar 2018

Hackers are using a Flash flaw in fake document in this new spying campaign

A hacking group is using updated cyber-attacks as part of a campaign targeting a European government, in what's thought to be a continued attempt to conduct espionage and surveillance.

The latest campaign by the Fancy Bear group -- also known as Sofacy and APT28, and believed to be linked to the Kremlin -- has been uncovered by researchers at security company Palo Alto Networks.

The researchers observed the campaign taking place on March 12, and then again on March 14. In these attacks, the Sofacy group employs an updated version of DealersChoice, a platform that exploits a Flash vulnerability to stealthily deliver a malicious payload of trojan malware. The updated incarnation of DealersChoice contains a new evasion technique which researchers say hasn't been observed before: the Flash object only loads when a specific page of the malicious document used to deliver the attack is viewed.

Attacks against the European government organisation -- researchers haven't specified which country the target is in -- start with spear-phishing emails with the subject of 'Defence & Security 2018 Conference Agenda'. The emails contain a Word document, titled 'Defence & Security 2018 Conference Agenda.docx'.

Researchers note that the attackers have copied an agenda directly from a real conference taking place in the UK next week. It's likely to have been selected to appeal to specially chosen individuals within the target government.

If the user opens the Microsoft Word attachment, the Flash object -- which contains an action script that attempts to install the malicious payload -- will only run if someone scrolls down to the third page of the document.

While this might seem to be a risky approach for the attackers -- even if the user opens the document, they may not scroll through -- researchers say it demonstrates how the attackers specially tailor the lures to be interesting for specific targets.

"This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it," said Robert Falcone, threat intelligence analyst at Unit 42.

Researchers say the reason the malicious Flash object doesn't run until the user reaches the third page is because the DealersChoice loader SWF isn't activated until it appears onscreen -- a tactic which aids the malicious payload avoid detection. It exists in the form of a tiny Flash object which word displays as a small black dot -- something which users may not give much thought to.

Once activated, this Flash object needs to contact an active C2 server to download an additional Flash object which containing further exploit code. Following that, the object will contact the same C2 sever for additional code.

If previous Russian hacking campaigns are anything to go by, the ultimate goal of the attack is to stealthily compromise the system and allow attackers to conduct surveillance and espionage.

The attack working relies on the victim running a vulnerable version of Flash, which serves as a reminder to organisations that they should ensure systems are patched as soon as possible to avoid compromise. In this instance, a patch to close the Flash security holes has been available for months.

Unit 42 has linked this campaign to Sofacy because of clues in the delivery document. The lure is listed as last modified by a user named 'Nick Daemoji', which has been the case in previous Sofacy/Fancy Bear campaigns.

The distribution tactics are also similar to other campaigns by Sofacy, which have previously lured victims through documents relating to security and defence conferences.

Tags:
hackers surveillance
Source:
ZDNet
1898
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015