skip to Main Content

Ukraine, the last weaponized document on elections is the work of APT28

Ukraine, The Last Weaponized Document On Elections Is The Work Of APT28

Yoroi-Cybaze: There is the Russian state-sponsored group (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) behind a malicious document, referencing the Ukraine election

Yoroi-Cybaze confirm that there are Russian state-sponsored hackers APT28 (aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM) behind a malicious document, referencing the Ukraine election. It’s the first step of a more complex cyber attack and contain a payload used by Emotet banking malware. The cyber security experts reviewed the Sofacy’s phishing techniques to confirm or deny the possible involvement of Russian state-sponsored actors in the election interference. “We ended up in an old fake Hotel reservation request form, containing dummy interactive text boxes used to lure the victims to enable the macro code execution,” the company’s blog reports. “We analyzed this sample two years ago and we linked it to a Sofacy attack operation discovered by FE researchers in the mid of 2017, which hit several hotels in European and Middle Eastern countries”.

The Italian Cyber Security experts: there are strong similarities between the APT28 “Hospitality Campaign” vector and the one used against Ukraine

The Italian cyber security researchers found that, despite some differences between the “Hospitality campaign” vector and the Ukraine elections one, both use similar TTP related to the APT28 group. The link between Hospitality malware and the “FancyBear” actor has been already sifted by Info-Sec community. So, “we can exploit the similarities between it and the Ukrainian elections sample to link it to Russian hacker groups”. Both documents under analysis use protected macro code. All the code inside the macro is not obfuscated in any way: Hospitality document surprisingly contains code comments too. Moreover, the main macro function name is “Execute” for both documents and the ASR trick used to create new processes from the Office work-space is substantially the same. In both cases the real payload is encoded in Base64 and it is stored into an Office hidden section: the first sample uses a document property, the second one employs an XML resource. The next stages are different: the Ukraine sample deploys some Powershell obfuscated scripts, which at the end carry an Empire stager, allowing the attackers to directly interact with the victim machine; the reference sample, instead, implants the GAMEFISH malware which automatically exfiltrates victim information while waiting for new payloads to install.

Fancy Bear is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective

Finally, Yoroi explained why it believes that the two cyber attacks are the work of APT28. There are, in fact, strong similarities: both use password protection; both have the same function name; both have the same macro code structure; both embeds the real payload in a hidden document section, and the ASR trick is implemented using the same instructions. The italian experts add that the presence of these similarities between the droppers indicates, with high probability, the attacker is the same and consequentially suggests APT28 is reusing some 2017 tricks and code snippets which, despite their simplicity, make their attacks effective.

Back To Top