New cyber-espionage group discovered by Bitdefender

Jul 7, 2016 13:34 GMT  ·  By

Pacifier APT is the name given by security firm Bitdefender to a new group that has carried out a series of cyber-espionage operations against Romanian institutions and other foreign targets in countries such as Iran, India, the Philippines, Russia, Lithuania, Thailand, Vietnam, and Hungary.

After recently discovering the group, Bitdefender says it uncovered further evidence on attacks with various types of malware on different targets going back to 2014. Since 2014, the group has carried out attacks using three main tactics.

Backdoor trojan hiding in browsers and Outlook

In 2014 and 2015, Pacifier used a homebrew backdoor Trojan, which they spread to their targets using spear-phishing emails containing macro-laced Word files.

The macro scripts attached to these documents would download and install the backdoor trojan on the infected systems, and then download a legitimate, clean Word document to show to the victim and avoid raising any alarms with the target.

This trojan would inject itself into the processes of Internet Explorer, Firefox, Google Chrome, or Firefox. From here, it would communicate with a C&C server from where it would receive commands.

Capabilities included the ability to download or upload files from the infected systems, close the connection, or self-destroy.

Backdoor hiding as Firefox extension

Also in 2014 and 2015, Bitdefender says that crooks also employed macro-laced Office files to install a Firefox extension called "langpack-en-GB 15.0.0."

The extension had no functionality, but it was another backdoor trojan that allowed the threat actors to interact with the local machine.

Compared to the first trojan, this one was far more advanced, also including the capability to execute or search files.

Group switches from macro malware to a JS-based delivery method

In May 2016, Pacifier made an important change to their attack methods. The group switched from using macro malware to a JavaScript delivery method, which became very popular starting early 2016, thanks to the rising number of ransomware families that deploy it.

The APT started delivering ZIP archive that contained a file with two extensions like filename.doc.js. This JavaScript file would download two items: another backdoor trojan, and a legitimate, clean Word file to show the target.

The success of this APT heavily relied on its ability to craft appealing spear-phishing emails. Bitdefender experts say they found the APT's malware distributed via emails that contained CVs, invitations to conferences, invitations to social functions, second-hand car offers, instructions from high-ranking officials, international politics, budget calculations, or guidelines on how to interview for a job in foreign affairs.

Technical details about the malware used in the above-described attacks can be found in Bitdefender's Pacifier APT whitepaper.

Internal structure of Pacifier's first malware
Internal structure of Pacifier's first malware

Photo Gallery (4 Images)

Bitdefender discovers Pacifier APT
Internal structure of Pacifier's first malwareFirefox extension deployed during 2014 and 2015
+1more