14 DAY TRIAL // On May 28, 2016, a Russian-linked cyber-espionage group sent a spear-phishing email to a US government official from an infected computer in the IT network of another country's Ministry of Foreign Affairs.
The email contained an RTF document called Exercise_Noble_Partner_16.rtf, referring to a joint US-Georgian military exercise.
According to Palo Alto Networks, opening this file would trigger the CVE-2015-1641 exploit, that would download and place two DLL files (btecache.dll and svchost.dll) on the victim's computer.
Security researchers claim that these two files load a Carberp variant of the Sofacy trojan used by the Sofacy cyber-espionage group. This group has affiliations to Russian military intelligence service GRU and is also known under names like Fancy Bear, APT28, Sednit, Pawn Storm, or Strontium.
Sofacy finds new method to launch malicious process
Palo Alto researchers said that there was something that caught their eye during this most recent Sofacy campaign. The group had apparently came up with a never-before-seen trick to gain persistence on infected devices.
While most malware adds a registry key to start its malicious process when the computer boots up, Sofacy's malware used a different technique. The hackers opted to start their malware only when the user opens a Microsoft Office product such as Word, PowerPoint or Excel.
"This is the first time Unit 42 has seen the Sofacy group, or any other threat group for that matter, use this tactic for persistence purposes," Palo Alto's Robert Falcone and Bryan Lee noted. "An added benefit for the threat actor to using this specific tactic for persistence is that it requires user interaction to load and execute the malicious payload, which can cause challenges for detection in automated sandboxes."
Polish malware researcher Prevenity also analyzed the same malware and saw the same adapted registry key entry.
Software\Microsoft\Office test\Special\Perf\: “C:\Users\[username]\AppData\Roaming\btecache.dll”
Sofacy made many mistakes
Luckily for the security researchers, there were some inconsistencies in the group's operation. First of all, the RTF document never showed any content to the user, alerting him that something was wrong.
Secondly, as Palo Alto noted, the group had recycled IP addresses and C&C server domains from past campaigns. Palo Alto couldn't tell if this was because of laziness or for a lack of resources at the time of the attack.
The end result is that Sofacy wasted a novel malware persistence technique that could easily evade most sandbox analysis operations, all because it didn't pay enough attention to the smaller details. Now that security firms are aware of this trick, their security products will no doubt scan for and detect this new mechanism.
Also today, CrowdStrike revealed another Sofacy attack, this one on the Democratic National Committee network, from where the group stole documents about the party's main rival, Donald Trump.