The new malware attacks user email inbox.
A Russian government-backed hacking group is distributing a new form of trojan malware as part of a cyber espionage campaign targeting the US and Europe, according to security researchers.
Named Cannon after references in the malicious code, the malware gathers system information and takes screenshots of infected PCs and has been operating since at least late October.
The campaign has been detailed by security analysts at security company Palo Alto Networks’ Unit 42 research unit, who say Cannon is just one form of malware still being actively distributed by Sofacy – their codename for Fancy Bear, a group also known as APT28, a hacking group which is with strong links to the Kremlin.
The group has been linked to a number of campaigns in recent years – including the cyber attacks and disinformation interference around the US Presidential election. It’s also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.
The new campaign begins with phishing emails which reference the recent Lion Air crash just off the coast of Indonesia. The Microsoft Word document is named Lion Air Boeing 737.docx and claims to have an author named ‘Joohn’. The reason this subject has been chosen for the lure is likely simply that people respond to emails which are related to current events.
If the user opens the attachment, they’re told that the document was created in an earlier version of Microsoft Word and that macros need to be enabled in order to view it. By choosing to enable the macros, the process of installing the malware begins – however, in order to help evade detection, the malicious code isn’t activated until after the Word session is closed.
This campaign has been spotted delivering two different forms of similar malware. One is Zebrocy, a trojan which has previously been observed being used as part of cyber espionage attempts working out of Russia.
The other is Cannon, with this campaign representing the first time the malware has been seen. It functions in a similar way to Zebrocy, by establishing communication with a command and control server which provides malware with instructions.
Cannon is designed to be persistent, set to take screenshots of the desktop every 10 seconds and gathering full system information every five minutes. In an effort to subtly pass stolen data on, Cannon uses email to forward attachments to one of three accounts hosted by a Czech Republic based service provider. From here, emails go to accounts controlled by the attackers.
The researchers are pinning the campaign on Sofacy because of how similar the Cannon malware is to Zebrocy – which is known to be the work of the hacking group. There’s also a number of other similarities, including reuse of author names in documents associated with the campaigns and the reuse of the same command and control servers.
The latest round of Fancy Bear attacks have targeted “a government organization dealing with foreign affairs in Europe” according to Palo Alto Networks, although researchers won’t go into the specifics of what governments have been targeted by the attacks, or if the campaigns have been successful for the attackers. It’s also unclear what specific information the attackers are targeting in this campaign.
“This is another example of how the Sofacy group is willing and able to develop new tools in support of their tactical and strategic aims,” said Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.
“While we can’t say how this specifically fit in to the overall Sofacy picture, based on the body of collective research we have as an industry, nearly all would agree that there is an overall picture: the Sofacy group doesn’t do things on a whim or for no reason.”
The discovery of new Fancy Bear activity comes shortly after researchers discovered a new phishing campaign targeting both government and private sector in the United States. That particular campaign is being carried out by Cozy Bear, another Russian state-sponsored hacking group.