- Sofacy APT group spotted using a new malware named Cannon in their latest campaign.
- The campaign was discovered targeting government organizations in North America, Europe and in a former Soviet state through spear phishing attacks.
- Researchers from Palo Alto Networks spotted the new campaign n late October and early November.
- The campaign was observed using malicious word documents containing loaded remote templates embedded with a malicious macro code.
APT group Sofacy was discovered delivering a new malware named Cannon targeting government organizations in North America, Europe and in a former Soviet state.
The new campaign was discovered by researchers at Palo Alto Networks and said that new malware was delivered through spear phishing attack.
The campaign was spotted in late October and early November using a word document containing loaded remote templates embedded with a malicious macro code.
The attackers use a new technique to deliver the malware which avoids sandbox detection. The malware used the AutoClose function which will not fully execute the malicious code until the user closes the document.
“If an automated sandbox exits its analysis session without specifically closing out the document, the sandbox may miss the malicious activity entirely. Once successfully executed, the macro will install a payload and save a document to the system.” said in the analysis published by Palo Alto Networks researchers.
According to researchers, Cannon acts as the downloader and also communicate with the Command and control server via email and receive instructions.
The malware is capable of adding persistence and create a unique system identifier, collect system details, capturing screenshots of the desktop and also can log into a POP3 email account to get access to attachments.
The cannon sends emails via three accounts hosted at a Czech service provider called Seznam and email account ‘sahro.bella7[at]post.cz’ is used as the C2 point.
“The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors”.
The attackers used Lion Air aeroplane crash subject to trick victims by naming the word documents used in the campaign as “crash list (Lion Air Boeing 737).docx”.
For more details, you can visit the analysis published by Palo Alto Networks researchers here.
You may be interested in reading:Cathay Pacific Airline Announces Data Breach Affecting 9.4 million Passengers