Sofacy APT Takes Aim with Novel ‘Cannon’ Trojan

The Sofacy APT group is back, with a new second-stage custom malware payload that researchers have dubbed “Cannon.”

A campaign against several government entities around the globe, including in North America, Europe and a former Soviet state, came in waves during late October and early November, according to Palo Alto’s Unit 42 division. The researchers attributed it to Russian-speaking Sofacy, a.k.a. Fancy Bear, Sednit or APT28, after intercepting a series of weaponized documents that load remote templates containing a malicious macro.

Tracing these templates back to their command-and-control (C2) servers, Unit 42 was able to retrieve subsequent payloads, which included the well-known Zebrocy trojan in the first stage, and a new malware, the Cannon dropper trojan, for the second stage.

The group primarily uses phishing emails as the infection vector for Zebrocy campaigns, according to separate research from ESET this week.

“Once the targets have been compromised, they use different first stage downloaders to gather information about the victims and, should the victims be interesting enough, after a delay of several hours – or even days – they deploy one of their second-level backdoors,” ESET researchers noted.

ESET noted that the classic modus operandi for a Zebrocy campaign is for the victim to receive an archive attached to an email. This archive contains two files, one a benign document and one an executable in an effort to fool the victim. However, in the latest campaign, the use of remote templates represents a new evasion trick, according to Unit 42.

“The Sofacy threat group continues to target government organizations in the EU, U.S., and former Soviet states to deliver the Zebrocy tool as a payload,” the researchers said, in a posting on their findings. “In these attacks, the delivery documents…used remote templates, which increases the difficulty to analyze the attack as an active C2 server is needed to obtain the macro-enabled document.”

Meanwhile, Cannon, which is so-named for the fact that the malicious code exists in a namespace called “cannon,” is a brand-new second-stage downloader. It notably uses email as its C2 communication channel.

“Email as a C2 channel is not a new tactic, but it is generally not observed in the wild as often as HTTP or HTTPS,” the firm said. “Using email as a C2 channel may also decrease the chance of detection, as sending email via non-sanctioned email providers may not necessarily construe suspicious or even malicious activity in many enterprises.”

“Add a layer of encryption that the SMTPS and POP3S protocols provide to the legitimate web-based service, and you have a very difficult C2 channel to block,” researchers added.

Cannon will send emails to specific email addresses via SMTPS over TCP port 587, and uses timers to run its routines in a specific order and potentially increase its evasion capability. It adds persistence and generates unique system specific identifier, and then gathers system information and takes a screenshot of the desktop to determine if the compromised host is of interest. Then, it logs into its email account, and ultimately downloads additional payloads.

“The overall purpose of to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the researchers noted.

Interestingly, Cannon uses more than one email account over the course of its active time. It first logs into an initial account via POP3S, looking for emails with a subject that matches the unique system identifier that it generated before. Cannon will then open the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain a secondary email account.

Cannon acknowledges the receipt of the secondary email address by sending an email to a C2 address as the attachment, the term “ok” within the body and a subject with the unique system identifier. That message is then returned with the file path that the trojan will use to save the secondary payload.

Cannon then logs into another email account via POP3S to receive that payload. It moves it to the proper path and then executes the payload.

The campaign delivering Zebrocy and Cannon remains active, according to Unit 42. It follows the usual Sofacy pattern of using current events as phishing lures. For instance, one of the Microsoft Word documents has the filename “crash list(Lion Air Boeing 737).docx,” in an attempt to capitalize on the Lion Air plane crash tragedy off the coast of Indonesia.

“This document appeared to be targeting a government organization dealing with foreign affairs in Europe via spear-phishing,” researchers said. “Once the user attempts to open the document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document.”