Security researchers recently discovered a notable spear phishing email campaign that used a peculiar, albeit increasingly popular, intrusion technique hidden inside a message concerning a terrorism attack in New York City.
The operation appears to have been conducted, according to U.S. cybersecurity firm McAfee, by an infamous group of Russian hackers widely known as APT28 or Fancy Bear. The group is best known for breaching the Democratic National Committee in the run up to the 2016 U.S. presidential election.
The malicious emails designed by APT28 may have been recently sent to military personnel located in Germany and France, based on other associated campaigns that were similar linked to the Russian hackers, explained Ryan Sherstobitoff, a senior analyst with McAfee’s advanced threat research team.
“Based on the telemetry we captured, we have observed targets in Europe, specifically France and Germany,” Sherstobitoff said. “The document theme from the previous related campaign has the name SabreGuardian, which is in reference to the U.S. Army in Europe.”
This is not the first time APT28 included mention of a highly publicized event in their carefully tailored emails to elicit a click, download or other response. Last month, for example, analysts with Cisco’s Talos research unit uncovered another operation where the same hacking group used news about an upcoming security conference in D.C. to precisely target specific individuals.
“The actor is using geo-political events to entice interest in opening the malicious documents, if our memory serves correct, this is a targeting strategy of this group which increases the chances they will hit the correct victim,” said Sherstobitoff.
While APT28 is notorious for these types of expansive and often cleverly designed espionage operations, the specific and recent emails noted by McAfee are significant because they show that the group adopted a technique that’s difficult to detect and remains unfixed.
The technique, broadly described as the “DDE Technique” in multiple recent blog posts by several different cybersecurity firms, is focused on a feature in Microsoft Office’s Dynamic Data Exchange (DDE) process which can be leveraged to execute arbitrary code on a victim’s system regardless of whether macros are enabled. This method was first publicly disclosed by cybersecurity firm SensePost in early October. Since then, multiple groups of both criminally-oriented and intelligence gathering-focused hackers apparently combined the technique with their own payloads.
“We have observed a pattern of threat actors using VBA Macros in the malicious documents, but what we have recently seen is a shift to DDE. This technique is more effective as it doesn’t rely on the victim’s system having Macros enabled,” said Sherstobitoff. “This is just another way APT28 is ramping up their methods to evade detection.”
In this case, APT28’s espionage efforts came in the form of an email containing a booby-trapped Microsoft Word document. The email itself, as well as the document, mentioned the aforementioned terrorist attack, which occurred on October 31 in New York City and resulted in the death of eight people. If this document were downloaded then it would instantly and covertly establish a connection back to the attacker’s command and control server, which would then serve up a first-stage reconnaissance implant to the victim’s device.
Although the terrorist attack occurred on October 31, the planning for this espionage activity began at least one week prior — with the registration of a domain to host the malware taking place on October 25 and the document itself carrying a timestamp of October 27. On November 1, the malicious document was renamed, according to McAfee, to include mention of the attack.
It’s not clear what the prior theme would have been in these emails, but it’s notable that the group quickly adapted to a changing news environment.