Fancy Bear Hackers Back to Form & Launched Cyber Attack Again on various Government’s Computer Networks

A new cyber attack launched against various Government’s Computer Networks by Sofacy hacking group which including a gang of cyber criminals (AKA APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm).

These group of hackers is one of the leading organized cybercrime group in the world and they are performing various attacks against the organization, government sectors as well as individuals.

Researchers identified initial attack targeting on two foreign affairs government institutions and it mainly belongs to Europe and the other in North America.

The sofacy hacking group using various pattern of attacks such as reuse of WHOIS artifacts, IP reuse, or even domain name themes also they registering new domains then placing a default landing page.

How Does this Cyber Attack has been Performed – Fancy Bear

This Attack initially distributed via phishing attack by sending specifically crafted email using the subject line of Upcoming Defense events February 2018 and the sender address claims that they associated with the defense and government sector.

Later deep header analysis revealed that concern received email has been spoofed and it did not come from the original source.

Also, Email contains malicious macro script enabled Excel XLS document but even it was a standard macro document, users need to enable the macro to view the hidden texts.

In this case, the white font color is applied to the text, so must enable the macro to view the original content.

Once the Macro will be enabled, content is presented via the following code:

ActiveSheet.Range(“a1:c54”).Font.Color = vbBlack

The code above changes the font color to black within the specified cell range and presents the content to the user.

Initially, it seems to be a legitimate content closer examination of the document later revealed several abnormal artifacts.

According to Paloaltonetworks malicious document, macro gets the contents of cells in column 170 in rows 2227 to 2248 to obtain the base64 encoded payload.

The macro sleeps for two seconds and then executes the newly dropped executable and the dropper executable is ultimately responsible for execution and running the payload.

The Trojan will use the same hashing algorithm for API resolution to find browser processes running on the system with the intention of injecting code into the browser to communicate with its C2 server.

In this case, Sofacy may have used an open-source tool called Luckystrike to generate the delivery document and/or the macro used in this attack.

Luckystrike is a Microsoft PowerShell-based tool that generates malicious delivery documents by allowing a user to add a macro to an Excel or Word document

The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. paloaltonetworks said.