The Sofacy Group (aka APT28, Fancy Bear, STRONTIUM, Sednit, Tsar Team, Pawn Storm), a well-known Advanced Persistent Threat (APT), remains a persistent global threat.
Unit 42 observed several attacks leveraging the Zebrocy tool. Zebrocy is delivered primarily via phishing attacks that contain malicious Microsoft Office documents with macros as well as simple executable file attachments.
In contrast to previous attacks from the same group (seen in February & March of 2018) this attack targets far more users than usual. The targeted individuals did not follow any significant pattern, and the email addresses were found easily using web search engines.
In addition to the large number of Zebrocy attacks seen, the experts also observed instances of the Sofacy Group leveraging the Dynamic Data Exchange (DDE) exploit technique previously documented by McAfee. The DDE attack technique was exploited to deliver payloads such as the Zebrocy backdoor and the open-source penetration testing toolkit Koadic.
This is the first time that Unit 42 has observed them leveraging the Koadic toolkit.
Palo Alto Networks customers are protected from Zebrocy and Koadic attacks by:
All known Zebrocy samples have a malicious verdict in WildFire
AutoFocus customers can track this campaign with the following Tags: