Hackers target security researchers with malware-laden document

State-backed hackers are trying to deliver malware to people interested in cybersecurity, using malicious documents about a real conference as a lure.
Written by Danny Palmer, Senior Writer

State-backed hackers are apparently targeting security researchers with their latest campaign, which uses a document advertising a cybersecurity conference as the lure.

Security researchers are being sent a malicious document titled 'Conference_on_Cyber_Conflict.doc', which contains information about a US security conference. While the conference is real, the document is not from its organisers: it uses content ripped from the conference website and posted into a Word document.

The nature of the lure the hackers are using means they're likely to be targeting people interested in, or linked to, cybersecurity.

The campaign has been uncovered by researchers at Cisco Talos, who have attributed it to an operation they refer to as Group 74 -- also known as APT28, Sofacy and Fancy Bear -- a Russian hacking collective with links to the Kremlin.


The lure document contains information written by and logos of the real conference organisers.

Image: Cisco Talos

The malware variant contained within the malicious document, Seduploader, has been used in previous campaigns by Fancy Bear, and is commonly used to drop malware for the purposes of espionage.

"This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security," said a CCDCOE spokesperson.

Seduploader is capable of taking screenshots, exfiltrating data, executing code, downloading additional files and more -- all very much suggesting its goal is espionage and stealing information from victims.

See also: Cyberwar: A guide to the frightening future of online conflict

Unlike in previous campaigns by the group, the malicious document doesn't contain an Office exploit or a zero-day. Rather, it uses a malicious Visual Basic for Applications (VBA) macro, designed to run code within the selected application -- in this case, Microsoft Word.

This demonstrates the extent to which attackers will research news and events related to their desired targets in order to craft the most convincing lure -- such as, in this campaign, those in the area of cybersecurity.

While it might seem daring to directly target people in the security industry, if anyone did fall for the lure, the attackers could gather extremely useful information.

Related coverage

Mysterious cyber espionage campaign uses 'torpedo' lure to trick you into downloading malware

Researchers at Proofpoint say the 'Leviathan' threat group is regularly launching phishing and malware attacks in an effort to steal sensitive data

This cheap and nasty malware wants to steal your data

FormBook malware advertises an 'extensive and powerful internet monitoring experience' for a relatively low-cost - allowing even low level attackers to distribute stealthy malware.

This ransomware-spreading botnet will now screengrab your desktop too

New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they're working and improve updates.


Editorial standards