Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) use BREXIT lures in recent attacks.

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

[adrotate banner=”5″]

[adrotate banner=”13″]