This article is more than 1 year old

Fancy Bear hacker crew Putin dirty RATs in Word documents emailed to govt orgs – report

Disguised as files about recent Lion Air crash, no less

Russian state-backed hacking crew Fancy Bear (aka APT28) is distributing malware-riddled files with a suggested link to the recent Lion Air crash in order to dupe government workers into downloading software nasties – and has developed a new remote-access trojan called Cannon, according to Palo Alto Networks.

Researchers from the firm spotted a Word file being targeted at "several government entities around the globe" called crash list(Lion Air Boeing 737).docx. The filename refers to the recent fatal crash in October of a nearly-new Boeing 737 Max 8, Lion Air flight 610, which killed all 181 aboard in October.

"This document appeared to be targeting a government organization dealing with foreign affairs in Europe via spear-phishing. Once the user attempts to open the document, Microsoft Word immediately attempts to load [a] remote template containing a malicious macro and payload," said Palo Alto in a report about the dodgy doc, which it pointed out did not "contain any pertinent content to the Lion Air tragedy theme seen in the filename".

Those governmental orgs included ones located in "North America, Europe and a former USSR state".

The remote template is downloaded from a command 'n' control server run by the attackers. If that server is offline, the document fails to download anything and so appears mostly innocuous. Palo Alto found that even once the user downloaded and executed the macro, nothing happened until the user closed Word, thanks to the malware author's use of Word's AutoClose macro function.

"The macro executes this payload in a rather interesting way by loading the dropped ~temp.docm document and calling a function within its embedded macro to run the payload," added Palo Alto. "We believe the creator of this delivery document chose to run the payload from the dropped file as an evasion technique."

Having downloaded a variant of the Zebrocy trojan as its payload, the malware, then maps whatever storage devices the host machine has connected, screenshots its system info and beams all that back to the C2 server.

Yup, it's the Russians again

The Cannon trojan, identified by Palo Alto in a variation of the first payload file, carries out much the same functions as Zebrocy, though it relies on talking to email servers hosted in the Czech Republic for its command and control functions.

Summing up, Palo Alto said: "The Sofacy [APT28] threat group continues to target government organizations in the EU, US, and former Soviet states to deliver the Zebrocy tool as a payload. In these attacks, the delivery documents used to install Zebrocy used remote templates, which increases the difficulty to analyse the attack as an active C2 server is needed to obtain the macro-enabled document."

APT28, referred to by Palo Alto in its report as Sofacy, is a Russian state-backed hacker crew that is increasingly well known by Western cybersecurity firms and state organisations. The group is active and prolific, cranking out new strains of malware that keep the infosec sector on its toes. ®

More about


Send us news

Other stories you might like