Hackers are using a Flash flaw in fake document in this new spying campaign

The payload is delivered via phishing emails about a real defence conference -- but nothing happens until the target scrolls down to the third page...
Written by Danny Palmer, Senior Writer

Is Russia using hacking and misinformation to disrupt Western nations?

A hacking group is using updated cyber-attacks as part of a campaign targeting a European government, in what's thought to be a continued attempt to conduct espionage and surveillance.

The latest campaign by the Fancy Bear group -- also known as Sofacy and APT28, and believed to be linked to the Kremlin -- has been uncovered by researchers at security company Palo Alto Networks.

The researchers observed the campaign taking place on March 12, and then again on March 14. In these attacks, the Sofacy group employs an updated version of DealersChoice, a platform that exploits a Flash vulnerability to stealthily deliver a malicious payload of trojan malware.

The updated incarnation of DealersChoice contains a new evasion technique which researchers say hasn't been observed before: the Flash object only loads when a specific page of the malicious document used to deliver the attack is viewed.

Download now: IT leader's guide to cyberattack recovery

Attacks against the European government organisation -- researchers haven't specified which country the target is in -- start with spear-phishing emails with the subject of 'Defence & Security 2018 Conference Agenda'. The emails contain a Word document, titled 'Defence & Security 2018 Conference Agenda.docx'.

Researchers note that the attackers have copied an agenda directly from a real conference taking place in the UK next week. It's likely to have been selected to appeal to specially chosen individuals within the target government.

If the user opens the Microsoft Word attachment, the Flash object -- which contains an action script that attempts to install the malicious payload -- will only run if someone scrolls down to the third page of the document.

While this might seem to be a risky approach for the attackers -- even if the user opens the document, they may not scroll through -- researchers say it demonstrates how the attackers specially tailor the lures to be interesting for specific targets.

"This suggests that the Sofacy group is confident that the targeted individuals would be interested enough in the content to peruse through it," said Robert Falcone, threat intelligence analyst at Unit 42.

Researchers say the reason the malicious Flash object doesn't run until the user reaches the third page is because the DealersChoice loader SWF isn't activated until it appears onscreen -- a tactic which aids the malicious payload avoid detection. It exists in the form of a tiny Flash object which word displays as a small black dot -- something which users may not give much thought to.


The Flash object appearing as a small black dot in the delivery document.

Image: Palo Alto Networks

Once activated, this Flash object needs to contact an active C2 server to download an additional Flash object which containing further exploit code. Following that, the object will contact the same C2 sever for additional code.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

If previous Russian hacking campaigns are anything to go by, the ultimate goal of the attack is to stealthily compromise the system and allow attackers to conduct surveillance and espionage.

The attack working relies on the victim running a vulnerable version of Flash, which serves as a reminder to organisations that they should ensure systems are patched as soon as possible to avoid compromise. In this instance, a patch to close the Flash security holes has been available for months.

Unit 42 has linked this campaign to Sofacy because of clues in the delivery document. The lure is listed as last modified by a user named 'Nick Daemoji', which has been the case in previous Sofacy/Fancy Bear campaigns.

The distribution tactics are also similar to other campaigns by Sofacy, which have previously lured victims through documents relating to security and defence conferences.

Recent and related coverage

US election hack: Microsoft wins latest round in court against Fancy Bear phishers

A US judge has banned the Fancy Bear hackers from attacking Microsoft's customers.

Fancy Bear strikes again: Russian hackers accessed IAAF athletes' medical data in cyberattack

Confidential medical data about athletes "seems to have been removed from the server" of the world athletics governing body.

Microsoft court victory over Fancy Bear reclaims hackers' domains

Redmond is using tactics that it has employed before to bring down big botnets.


Editorial standards