skip to Main Content

From APT29 cyber attacks on US with real pdf documents to confuse victims

From APT29 Cyber Attacks On US With Real Pdf Documents To Confuse Victims

Yoroi – Cybaze ZLab analyzed the a new strain of malware that Russian-linked APT29 (aka Cozy Bear, Office Monkeys, CozyCar, The Dukes, and CozyDuke) is spreading against US targets

The Russian-linked APT29 (aka Cozy Bear, Office Monkeys, CozyCar, The Dukes, and CozyDuke) is spreading a new strain of malware against US targets. It has been analyzed by Yoroi – Cybaze ZLab cyber security experts. On 16 November, the researchers accessed to a new APT29’s dangerous malicious code, which seems to be involved in the recent wave of cyber attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media and pharmaceutical companies. “The Department is aware of the recent malicious cyber event involving the spoofing (impersonation) of an employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt,” reads a statement released by the US State Department and reported by Security Affairs.

APT29 is using real PDF documents to confuse the victims, while the malware executes its activities

APT29 carried out spear phishing with a malware, impersonating a State Department official, to attempt compromising US targets. The email messeges contains a zip file as an attachment, that has a link (.lnk) file with incredible capabilities. Yoroi – Cybaze ZLab cyber security experts report on the company’s blog that when the victim double-clicks on the link, it starts different malicious activities: runs a Powershell command, with which extracts another Powershell script from a hidden section of the file. This provides to create two new files: a legitimate pdf document (ds7002.pdf) and a dll file (cyzfc.dat), that probably contains the real payload. What is interesting is the pdf document, opened automatically from the malware if a PDF viewer is installed into the infected system. It’s goal it to confuse the victims, while the malicious code executes some other activities.

The malicious DLL contains a payload generated with Cobalt Strike, typically used by threat actors, such as the russian “Carbanak” gang or the iranian “CopyKittens” group, The malware was also configured with a series of tricks to make it stealthier

According to FireEye’s report, the APT29 malicious DLL contains a beaconing payload generated with Cobalt Strike. A well known post-exploitation framework typically used by Red-Teams all around the world, and sometimes abused by other threat actors, such as the russian “Carbanak” gang or the iranian “CopyKittens” group. So, the dll likely retrieved attacker commands and further payload modules from the “pandorasong.com” domain. Moreover the malware was configured with a series of tricks to make it stealthier, such as: The “pandorasong.com” C2 recalls the legit “pandora.com” domain name, owned by one of the most popular music streaming service in the US; Interactions with the C2 take place over encrypted SSL channel; The HTTP requests are specifically crafted to mimic a legitimate communication to the Pandora’s servers. A related Cobalt Strike communication profile is publicly available on github.

The Yoroi – Cybaze ZLab conclusions on the APT29’s malware analysis

The usage of a link file containing the complete payload is a powerful technique, still hard to detect by several common anti-virus solutions, explained the Yoroi – Cybaze ZLab cyber security experts . Despite the effectiveness of this strategy, the creation of the weaponized link such the one analyzed is quite easy,  many publicly available resources could help crooks to abuse it.  This technique is also part of the APT29 arsenal from long time: a shortcut file containing self-extracting payload has been (ab)used back in 2016, when the “Cozy Bear” group tried to leverage the just concluded US Presidential Election to attack NGOs and US’s think tanks with a carefully prepared spear-phishing campaign.

The Russian state sponsored hackers are unleashed during this period. APT28 has released a variant of the Lojax malware (aka Double-Agent) and Gamaredon has spread the malicious code Pterodo in Ukraine, which makes fear of an upcoming cyber attack on a large scale against the country

Moreover, this seems like an intense period for Russian state hackers. While APT29 targets US entities, APT28 (aka Sednit, Fancy Bear, Pawn Storm, Sofacy and STRONTIUM) has circulated a variant of the notorious Lojax malware (aka Double-Agent) to conduct cyber attacks on targets in the Balkans and in central Europe. In addition, the Gamaredon group (aka Pteradon) released the malicious code Pterodo in Ukraine, a backdoor for Windows. The National Computer Emergency Response Team (CERT-UA) and the country’s intelligence discovered it. The risk is that there may soon be a cyber attack on a large scale in the nation, as is the case historically for years in November.

Photo Credits: Yoroi – Cybaze ZLab

Back To Top