Alleged Russian hackers behind the EFF Spear phishing Scam

The experts at EFF organization speculate that Russian State-sponsored hackers belonging the APT 28 group have managed the last EFF Spear phishing Scam.

Attackers, alleged to belong to a Russian state-sponsored APT registered a bogus Electronic Frontier Foundation domain earlier this month. The hackers used the name brand of popular privacy watchdog in an attempt to trick targets into thinking that email sent by the domain was coming from the trusted organization.
According to the security experts who are investigating the case, the spear phishing campaign is part the Pawn Storm Operation. Security experts from several security firms speculate that the Russian APT 28 manages the long-running espionage campaign.
The Pawn Storm group, also called APT 28, has been active for several years, according to the experts at FireEye who are following it the attacks are carried during business hours, on Moscow time, and targets organizations managing information related to governments, militaries and security organizations. The experts sustain that the information exfiltrated by the hackers are of great interest for the Russian Intelligence.
According to a blog post published by the EFF the fake domain, the threat actors registered the bogus domain electronicfrontierfoundation.org a few weeks ago and used it in targeted attacks leveraging on a recently patched Java zero-day exploit.

Despite Oracle has already patched the vulnerability exploited in the attack the hacking crew is still exploiting it.
The phishing emails include links to the fake EFF website, once clicked on the visitor is redirected to page on the same domain containing a Java applet that could exploit the flaw in the unpatched version of the Java software.
“The attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in two years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious domain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another unique URL in the form of htt://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class containing a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload is received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware analysts).

The attacker, now able to run any code on the user’s machine due to the Java exploit, downloads a second payload, which is a binary program to be executed on the target’s computer.” States the blog post published by the EFF.

The experts at the EFF sustain that there are a number of similarities between this campaign and other operation managed by the Russian APT 28 group, for example the path and filename used in the exploit are the same as those used in the attacks of the Pawn Storm. The attackers used the Sednit malware to infect victims and install a backdoor in order to maintain persistence in the compromised machine.

The APT 28 also carried out attacks on NATO forces and White House staff in the past months.
In order to secure the systems, the EFF is urging users to update Java to the latest release in order to fix the vulnerabilities exploited in the attack. The EFF has also reported for abuse the phony domain used in the spear phishing attacks in order to take it offline.

Pierluigi Paganini

(Security Affairs – EFF, APT 28)