Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) use BREXIT lures in recent attacks.

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Sofacy, Brexit)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.