Saturday, January 25, 2025
HomeHacksFancy Bear Hackers Back to Form & Launched Cyber Attack Again on...

Fancy Bear Hackers Back to Form & Launched Cyber Attack Again on various Government’s Computer Networks

Published on

SIEM as a Service

Follow Us on Google News

A new cyber attack launched against various Government’s Computer Networks by Sofacy hacking group which including a gang of cyber criminals (AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm).

These group of hackers is one of the leading organized cybercrime group in the world and they are performing various attacks against the organization, government sectors as well as individuals.

Researchers identified initial attack targeting on two foreign affairs government institutions and it mainly belongs to Europe and the other in North America.

The sofacy hacking group using various pattern of attacks such as reuse of WHOIS artifacts, IP reuse, or even domain name themes also they registering new domains then placing a default landing page.

How Does this Cyber Attack has been Performed – Fancy Bear

This Attack initially distributed via phishing attack by sending specifically crafted email using the subject line of Upcoming Defense events February 2018 and the sender address claims that they associated with the defense and government sector.

Later deep header analysis revealed that concern received email has been spoofed and it did not come from the original source.

Also, Email contains malicious macro script enabled Excel XLS document but even it was a standard macro document, users need to enable the macro to view the hidden texts.

In this case, the white font color is applied to the text, so must enable the macro to view the original content.

Once the Macro will be enabled, content is presented via the following code:

ActiveSheet.Range(“a1:c54”).Font.Color = vbBlack

The code above changes the font color to black within the specified cell range and presents the content to the user.

Initially, it seems to be a legitimate content closer examination of the document later revealed several abnormal artifacts.

According to Paloaltonetworks malicious document, macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload.

The macro sleeps for two seconds and then executes the newly dropped executable and the dropper executable is ultimately responsible for execution and running the payload.

The Trojan will use the same hashing algorithm for API resolution to find browser processes running on the system with the intention of injecting code into the browser to communicate with its C2 server.

In this case, Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack.

Luckystrike is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document

The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. paloaltonetworks said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Salt Typhoon Hacked Nine U.S. Telecoms, Tactics and Techniques Revealed

Salt Typhoon, a state-sponsored Advanced Persistent Threat (APT) group linked to the People's Republic...

APT32 Hacker Group Attacking Cybersecurity Professionals Poisoning GitHub

The malicious Southeast Asian APT group known as OceanLotus (APT32) has been implicated in...

Casio Hacked – Servers Compromised by a Ransomware Attack

Casio Computer Co., Ltd. has confirmed a significant cybersecurity breach after its servers were...