Wednesday, June 19, 2024

Fancy Bear Hackers Back to Form & Launched Cyber Attack Again on various Government’s Computer Networks

A new cyber attack launched against various Government’s Computer Networks by Sofacy hacking group which including a gang of cyber criminals (AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm).

These group of hackers is one of the leading organized cybercrime group in the world and they are performing various attacks against the organization, government sectors as well as individuals.

Researchers identified initial attack targeting on two foreign affairs government institutions and it mainly belongs to Europe and the other in North America.

The sofacy hacking group using various pattern of attacks such as reuse of WHOIS artifacts, IP reuse, or even domain name themes also they registering new domains then placing a default landing page.

How Does this Cyber Attack has been Performed – Fancy Bear

This Attack initially distributed via phishing attack by sending specifically crafted email using the subject line of Upcoming Defense events February 2018 and the sender address claims that they associated with the defense and government sector.

Later deep header analysis revealed that concern received email has been spoofed and it did not come from the original source.

Also, Email contains malicious macro script enabled Excel XLS document but even it was a standard macro document, users need to enable the macro to view the hidden texts.

In this case, the white font color is applied to the text, so must enable the macro to view the original content.

Once the Macro will be enabled, content is presented via the following code:

ActiveSheet.Range(“a1:c54”).Font.Color = vbBlack

The code above changes the font color to black within the specified cell range and presents the content to the user.

Initially, it seems to be a legitimate content closer examination of the document later revealed several abnormal artifacts.

According to Paloaltonetworks malicious document, macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload.

The macro sleeps for two seconds and then executes the newly dropped executable and the dropper executable is ultimately responsible for execution and running the payload.

The Trojan will use the same hashing algorithm for API resolution to find browser processes running on the system with the intention of injecting code into the browser to communicate with its C2 server.

In this case, Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack.

Luckystrike is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document

The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. paloaltonetworks said.


Latest articles

Amtrak Data Breach: Hackers Accessed User’s Email Address

Amtrak notified its customers regarding a significant security breach involving its Amtrak Guest Rewards...

Chrome Security Update – Patch for 6 Vulnerabilities

Google has announced a new update for the Chrome browser, rolling out version 126.0.6478.114/115...

Hackers Weaponize Windows Installer (MSI) Files to Deliver Malware

Cybersecurity researchers have uncovered a sophisticated malware campaign orchestrated by a threat actor group,...

Hackers Using VPNs To Exploit Restrictions & Steal Mobile Data

Hackers are offering "free" mobile data access on Telegram channels by exploiting loopholes in...

New PhaaS Platform Lets Attackers Bypass Two-Factor Authentication

Several phishing campaign kits have been used widely by threat actors in the past....

Stuxnet, The Malware That Propagates To Air-Gapped Networks

Stuxnet, a complex worm discovered in 2010, targeted Supervisory Control and Data Acquisition (SCADA)...

Threat Actors Claiming Breach of AMD Source Code on Hacking Forums

A threat actor named " IntelBroker " claims to have breached AMD in June...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles