U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Russia-linked APT Sofacy leverages BREXIT lures in recent attacks

Russia-linked cyber-espionage group Sofacy, (aka APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) use BREXIT lures in recent attacks. The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU). “As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement […]

Sofacy Brexit

Russia-linked cyber-espionage group Sofacy, (aka APT28Pawn StormFancy BearSednitTsar Team, and Strontium) use BREXIT lures in recent attacks.

Sofacy Brexit

The APT group used Brexit-themed bait documents on the same day the UK Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU).

“As the United Kingdom (UK) Prime Minister Theresa May announced the initial BREXIT draft agreement with the European Union (EU), iDefense analysts identified a new campaign by SNAKEMACKEREL using a BREXIT-themed lure document to deliver the Zekapab (also known as Zebrocy) first-stage malware” reads a report published by Accenture.

The Sofacy APT group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

In September 2018, security experts from ESET spotted the first UEFI rootkit of ever, the code tracked as LoJax was used in attacks in the wild.

In November 2018, malware researchers at the Cybaze ZLab- Yoroi team discovered a new variant of the dangerous APT28 Lojax rootkit.

According to Accenture’s iDefense experts, on November 15 Sofacy attackers were using weaponized documents to deliver the Zebrocy backdoor.

Threat actors used the BREXIT-themed lure documents to load malicious content from an external source using the settings.xml.rels component embedded within the DOCX file.

The macro component downloaded from the external source includes a function called AutoClose(), as well as two payloads embedded via Base64, encoded strings.

Analyzing an IP address (109.248.148.42) involved in the attack, the experts discovered two different .dotm components, attachedTemplate.dotm and templates.dotm.

Both components contain the same VBA macro code, each containing two different embedded payloads: one is an executable binary file and the other is a .docm file.

“Analysis into the two binaries shows that they are in fact a Delphi (initially UPX
packed) and .NET version of the Zekapab first-stage malware.” continues the report.

The malware collects system information and a list of running processes and sends the data to the command and control (C&C) server that in turn deliver the next stage malware is the system is deemed interesting.

Further information on the attack, including mitigation, are reported in the analysis published by Accenture

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Sofacy, Brexit)

[adrotate banner=”5″]

[adrotate banner=”13″]