APT28 Targets Government and Military Institutions with Zebrocy Malware

Delaware, USA – December 3, 2018 – Last week, researchers reported on two new campaigns by the APT28 group aimed at European government organizations and military institutions. APT28 also known as Sofacy, Pawn Storm, Sednit, Fancy Bear and Snakemackerel attacked government entities of NATO members and countries in Central Asia using malicious document pretended to be a draft of the BREXIT agreement announced by the UK government. Accenture researchers published a detailed report containing indicators of compromise. The document used in this cyber espionage campaign contains malicious macros that install Zebrocy malware on the attacked system. To trick the victim into enabling macros, APT28 deliberately used jumbled-up text as content. Attackers used the same malicious macros in one of the past campaigns. Security researcher Emmanuele de Lucia reported the second campaign targeted at military institutions. Adversaries send phishing emails with NATO Simulation.doc which after the enabling macro drops a SedUploader malware. Cybercriminals prepared the infrastructure for this attack in just a few days, and at the time of reporting, the malware was undetectable to any antivirus solution. According to the research, at least one of the targeted victims was successfully infected.

Earlier in the November, APT28 conducted another cyberespionage campaign targeted at government organizations in North America and Europe distributing Zebrocy trojan and the Cannon malware. You can detect active campaigns of the state-sponsored APT group using free SIEM rules from Threat Detection Marketplace.

APT28 detection pack
Part 1: https://tdm.socprime.com/tdm/info/1385/
Part 2: https://tdm.socprime.com/tdm/info/1393/