Recently observed attacks orchestrated by the Russian threat group Sofacy have revealed a change in tactics and new iterations of previously known tools, according to Palo Alto Networks researchers.
Also tracked as APT28, Fancy Bear, Pawn Storm, Sednit and Strontium, the cyber-espionage group has been associated with numerous attacks worldwide, including those targeting the 2016 presidential election in the United States, assaults on Ukraine and NATO countries, and attacks on targets in Asia.
Earlier this year, security researchers revealed that Sofacy’s campaigns overlap with other state-sponsored operations, and also dissected a new backdoor employed by the group. Dubbed Zebrocy, the new malware consists of a Delphi downloader and an AutoIT stage, ESET reported in April.
Now, Palo Alto reveals that a C++ version of Zebrocy has also been seen in attacks. Furthermore, the security researchers discovered Sofacy attacks that leveraged the Dynamic Data Exchange (DDE) exploit technique to deliver different payloads than before.
The campaign, Palo Alto says, breaks out of the previously observed patterns in that it no longer targets only a handful of employees within a single organization. Instead, the attackers sent phishing emails to “an exponentially larger number of individuals” within the target company.
“The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines. This is a stark contrast with other attacks commonly associated with the Sofacy group,” the security researchers explain.
Not only did the group launch a large number of Zebrocy attacks, but it also started using DDE to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic (this is the first time it leverages this tool). Previously, the group used the DDE technique for the distribution of Seduploader.
As detailed in a February report, Palo Alto also discovered that the group was hiding infrastructure using random registrant and service provider information for each attack and that they deployed a webpage on each of the domains.
The artifact led to the discovery of an attack campaign using the DealersChoice exploit kit, as well as another domain serving the Zebrocy AutoIT downloader.
Eventually, this led to the discovery of the C++ variant of the Zebrocy downloader tool, as well as to “evidence of a completely different payload in Koadic being delivered as well.” The Delphi backdoor delivered as the final payload in Zebrocy attacks was found hosted at IP address 185.25.50[.]93, the researchers say.
From this command and control (C&C) IP, the researchers discovered another hard-coded user agent being used by Zebrocy. Several samples of the backdoor employing the user agent were observed targeting the foreign affairs ministry of a large Central Asian nation.
One other sample used a different user agent, which the researchers determined was from a secondary payload retrieved by the malware. The researchers eventually discovered over forty additional Zebrocy samples, several of which were targeting the same Central Asian nation.
Two weaponized Office documents leveraging DDE were used to target a North American government organization dealing with foreign affairs with the Zebrocy AutoIT downloader, and the previously mentioned large Central Asian nation, but with a non-Zebrocy payload this time, namely Koadic.
“Sofacy is carrying out parallel campaigns to attack similar targets around the world but with different toolsets. The Zebrocy tool associated with this current strain of attacks is constructed in several different forms based on the programming language the developer chose to create the tool. We have observed Delphi, AutoIt, and C++ variants of Zebrocy, all of which are related not only in their functionality, but also at times by chaining the variants together in a single attack,” Palo Alto concludes.