APT28 Uses Cannon Malware in New Cyberespionage Campaign

Delaware, USA – November 21, 2018 – Researchers from Palo Alto Networks uncovered a new cyberespionage campaign conducted by APT28 and aimed at government organizations in North America and Europe. APT28 group, also known as Sofacy or Fancy Bear, is infamous for its large-scale campaigns and the use of sophisticated malware. In the uncovered campaign, the group uses a never-before-seen trojan, which the researchers called Cannon. The attackers exploit the theme of the recent catastrophe of Lion Air Boeing 737 and send phishing emails with an attached Microsoft Word document disguised as a list of victims. The document asks a user to enable macro and loads remote templates embedded with a macro code which uses the AutoClose function to delay the execution of the malicious code until the .docx file is closed. Using such documents, APT28 distributes both the well-known Zebrocy trojan and the new Cannon malware, which collects information about the system, takes screenshots, and uses email communication to get instructions and secondary payload.

The tactic used by the group is not new, but it more effective at evading detection as the external hosts involved are a legitimate email service provider. The campaign continues, and it is necessary to use additional defensive measures to protect your organization from such attacks. Threat Hunting Framework tracks IP, URL, Domains and File hashes across all log sources you have connected to the SIEM, as well as highlights the gaps and interruptions in data flow: https://my.socprime.com/en/integrations/threat-hunting-framework-arcsight