The United States government has been the latest target of a spear phishing e-mail attack sent by the Sofacy group. The group has also been referred to as APT28 and is well known for its frequent cyber espionage campaigns.
Its latest attack, which was discovered by Unit 42, was found in an email sent from a member of the Ministry of Foreign Affairs. It appears that the email was sent from the government office possibly through an account that had potentially been compromised.
The email, which was sent on 28 May, 2016, had the subject of “FW: Excercise Noble Partner 2016.” This was an obvious reference to a joint NATO training effort between the US and Georgia to make it appear more genuine to its recipient. An RTF file with the filename “Exercise_Noble_Partner_16” was attached and also referenced the training exercise that was currently underway.
The RTF file contained in the email was set up to exploit CVE-2015-1641 to load two files to the system: “btecache.dll” and “svchost.dll.” The first file, “btecache.dll” is a Trojan that loads and then runs a Carberp variant of the Sofacy Trojan named “svchost.dll.” Generally RFT documents drop or open a decoy document immediately after they have successfully exploited a user's system. However, this was not does not do either of the following after loading onto a system.
The path that leads to “btecache.dll” is also added to the registry key below:
Software\Microsoft\Office test\Special\Perf\: “C:\Users\[username]\AppData\Roaming\btecache.dll”
Instead of running upon startup, the “btecache.dll” file runs whenever a user opens any one of the programs in Microsoft's Office Suite. This is an entirely new tactic to enable a Trojan to have persistence and it is the first time that the Sofacy group has used it.
This unlikely the last time that the Sofacy group will launch an attack on the US government. Now that its attacks have grown more sophisticated it is essential that all government employees continue to employ best practices when opening emails and especially attachments from unknown sources no matter how official they may seem.
Image Credit: Andrea Izzotti / Shutterstock