State-backed hackers are apparently targeting security researchers with their latest campaign, which uses a document advertising a cybersecurity conference as the lure.
Security researchers are being sent a malicious document titled ‘Conference_on_Cyber_Conflict.doc’, which contains information about a US security conference. While the conference is real, the document is not from its organisers: it uses content ripped from the conference website and posted into a Word document.
The nature of the lure the hackers are using means they’re likely to be targeting people interested in, or linked to, cybersecurity.
The campaign has been uncovered by researchers at Cisco Talos, who have attributed it to an operation they refer to as Group 74 — also known as APT28, Sofacy and Fancy Bear — a Russian hacking collective with links to the Kremlin.
Image: Cisco Talos
The malware variant contained within the malicious document, Seduploader, has been used in previous campaigns by Fancy Bear, and is commonly used to drop malware for the purposes of espionage.
“This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cyber security,” said a CCDCOE spokesperson.
Seduploader is capable of taking screenshots, exfiltrating data, executing code, downloading additional files and more — all very much suggesting its goal is espionage and stealing information from victims.
Unlike in previous campaigns by the group, the malicious document doesn’t contain an Office exploit or a zero-day. Rather, it uses a malicious Visual Basic for Applications (VBA) macro, designed to run code within the selected application — in this case, Microsoft Word.
This demonstrates the extent to which attackers will research news and events related to their desired targets in order to craft the most convincing lure — such as, in this campaign, those in the area of cybersecurity.
While it might seem daring to directly target people in the security industry, if anyone did fall for the lure, the attackers could gather extremely useful information.
Researchers at Proofpoint say the ‘Leviathan’ threat group is regularly launching phishing and malware attacks in an effort to steal sensitive data
FormBook malware advertises an ‘extensive and powerful internet monitoring experience’ for a relatively low-cost – allowing even low level attackers to distribute stealthy malware.
New payload bundled within Necurs botnet attacks allows those carrying out malicious campaigns to check if they’re working and improve updates.
READ MORE ON CYBERCRIME