Fancy Bear exploits Brexit to target government groups with Zebrocy Trojan
Researchers tracking the Fancy Bear threat group have revealed the persistent targeting of NATO-aligned nation-states through a new campaign.
According to researchers from Palo Alto Networks, the latest wave of attacks, labeled the “Dear Joohn” movement, is also moving against former USSR nation states.
In a blog post this week, the team said that Fancy Bear — also known as Sofacy, APT28, STRONTIUM, Pawn Storm, and Sednit — is striking groups with political ties, as well as private organizations.
The APT has been active from at least 2014 and has been linked to cyberattacks against the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), the Ukrainian military, and many others. It is generally believed the threat actors are sponsored by the Russian government.
Fancy Bear has also recently been connected to Earworm, a separate Russian hacking group, due to the potential sharing of tools and infrastructure.
The campaign has been given a fresh edge of late with the increased deployment of weaponized documents under the name “Joohn” which execute the Zebrocy and Cannon tools.
Over October and November this year, targets located across four continents have become the recipients of Joohn documents.
Nine samples were collected by Palo Alto from would-be victim organizations, including foreign affairs offices and government entities. In each case, the preliminary attack vector was spear phishing, with file names crafted to reference current political issues such as Brexit, the Lion Air crash, and rocket attacks in Israel.
Recipients of these messages, sent from email addresses which looked similar to legitimate government entities, would be asked to download malicious Microsoft Word files.
These documents would then retrieve a malicious macro and request permission from the user to enable macros in order to infect the victim’s system.
“The majority of delivery documents contain a generic lure image requesting the victim enable macros with no additional content, the adversaries seemingly relying solely on lure filenames to entice victims to launch the malicious document,” the researchers said.
Some of these lure images would include NATO EOD seals. One example obtained by the firm contained instructions in Russian, which the team says “may indicate the intended target was a Russian speaking nation-state.”
If Fancy Bear’s command-and-control (C2) servers are active when the document executes, the macro is loaded via a remote template. However, if inactive, the enable macros prompt never appears.
The Joohn author name was used in the majority of the documents obtained, as well as the remote templates. It also appears that the IP-based C2s used in the Dear Joohn campaign is separate from other criminal scheme infrastructure used by Fancy Bear.
Once executed, the documents deliver the Cannon and Zebrocy Trojans. A number of Zebrocy variants are used by the attackers and are written in languages including Delphi, C#, and VB.NET.
Researchers had previously only known about the Delphi variant.
The Trojan is able to gather system data and send this to the C2 server via HTTP POST requests, receiving and executing in return payloads such as the open-source penetration testing kit Koadic.
The first known sample of Cannon was collected in April this year. The C# tool is believed to come in at least seven different flavors and functions as a downloader by sending emails to the C2 server to obtain additional payloads.
However, Cannon is also equipped with the means to gather system information, take desktop screenshots, and maintain persistence through a variety of mechanisms.
“We believe we have also found a Cannon variant written in Delphi,” Palo Alto says. “We have seen Sofacy using multiple languages to create variants of the Zebrocy Trojan, so it seems fitting that the group would create additional variants of Cannon in multiple programming languages as well.”
“The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks,” the researchers added. “The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns.”
Back in September, ESET researchers revealed a separate Fancy Bear campaign which utilizes LoJack in what may have been the first documented case of a UEFI rootkit in the wild.
The team said the rootkit was found bundled with the legitimate LoJack system recovery toolset, which is able to patch a victim’s system in order to install malware at the firmware level.