APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

A new spear-phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government agencies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first known in late October.

The campaign is being carried out through spam electronic mail and uses weaponizedWord document to deliver two malware variations. The first, the Zebrocy Trojan, has been used by APT28 in earlier campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It serves as a downloader and backdoor and is used to send more malevolent payloads to systems of interest to the group.

Unit 42 scientists also recognized a second Trojan. A new malware variation named the CannonTrojan. Although Zebrocy uses HTTP/HTTPS for its C2 communications, the CannonTrojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The CannonTrojan is used to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of importance, the Cannon Trojan can download extra malevolent code.

One of the electronic mail campaigns uses the current Lion Air plane accident as the attraction to get users to open the malevolent Word document. The document name is CrashList (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

attraction to the document, the user is presented with a message stating the document has been generated using an earlier type of Word. The user should click onEnable Content to show the matters of the file. The macro will only be and is a link to its C2 exists. If no link is available, the macro will not run.

If attraction to a C2 link, the macro is launched. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign uses the AutoClosefunction to delay complete execution of the malevolent code. It’s when and is closes the document that the macro will complete and the payload will be downloaded.

The CannonTrojan and a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam then communicates the electronic additional attacker-controlled electronic mail accounts over POP3S, scientists also it gets its commands. Because of the level of encryption delivered by both SMTPS and POP3S, the C2 channel is tough to obstruct.