A new spear phishing campaign is being conducted by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government organizations in the United States, Europe, and a former USSR state using the previously unknown Cannon Trojan. The campaign was detected by Palo Alto Networks’ Unit 42 team and was first identified in late October.
The campaign is being conducted via spam email and uses weaponized Word document to deliver two malware variants. The first, the Zebrocy Trojan, has been used by APT28 in previous campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to a device and establish a connection with a C2 server. It serves as a downloader and backdoor and is used to deliver further malicious payloads to systems of interest to the group.
Unit 42 researchers also identified a second Trojan. A new malware variant dubbed the Cannon Trojan. While Zebrocy uses HTTP/HTTPS for its C2 communications, the Cannon Trojan uses email. Email is believed to be used to decrease the probability of detection.
The Cannon Trojan is used to gather system information. That information, along with screenshots, are sent back to APT28 via email. If the target is of interest, the Cannon Trojan can download additional malicious code.
One of the email campaigns uses the recent Lion Air plane crash as the lure to get users to open the malicious Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word attempts to download a remote template that includes the malicious macro.
Upon opening the document, the user is presented with a message saying the document has been created using an earlier version of Word. The user must click on Enable Content to display the contents of the file. The macro will only be loaded if a connection to its C2 exists. If no connection is available, the macro will not run.
Provided there is a C2 connection, the macro is launched. At this stage, most malicious documents then download the payload. However, this campaign uses the AutoClose function to delay full execution of the malicious code. It is only when the user closes the document that the macro will complete and the payload will be downloaded.
The Cannon Trojan initially sends a message over SMTPS to one email account hosted by Czech email service provider Seznam, then communicates with two further attacker-controlled email accounts over POP3S, through which it receives its commands. Due to the level of encryption provided by both SMTPS and POP3S, the C2 channel is difficult to block.