A new report from Palo Alto Networks Inc.’s Unit 42 today detailed a new hacking campaign from the Sofacy Group that employs a series of weaponized documents to target government entities around the globe, including the U.S., Europe and the former Eastern Bloc.

First detected in late October, the weaponized documents load remote templates containing a malicious macro usually via a Microsoft Word document. Once opened, the macro then downloads malware payloads, including the Zebrocy Trojan virus previously linked to the Sofacy attack group, as well as a newly identified trojan dubbed “Cannon.”

Noted as interesting by the researchers, one of the documents detected used the name “crash list(Lion Air Boeing 737).docx,” referring to the crash of a Lion Air Flight 610 that crash outside of Jakarta, Indonesia on Oct. 29.

“This is not the first instance of an adversary group using recent current events as a lure, but it is interesting to see this group attempt to capitalize on the attention of a catastrophic event to execute their attack,” the researchers noted.

Another document appears to target a government organization dealing with foreign affairs in Europe via spear-phishing, which involves sending emails from an ostensible acquaintance to get people to reveal confidential information. Once the user attempts to open the document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from a location specified in the script.

Once installed, the Zebrocy Trojan gathers system specific information that it will send to the command-and-server via an HTTP POST request to the given URL. Like other Zebrocy samples, this trojan collects system-specific information and a screenshot of the victim host as a JPEG image.

Cannon, the second trojan loaded, functions primarily as a downloader that relies on emails to communicate between the trojan and the C&C server. “The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the researchers noted.

The researchers concluded that The Sofacy threat group is once again targeting government organizations in the E.U., the U.S. and former Soviet states with a payload designed in a way that increases the difficulty of detection. That’s why it’s important that those organizations take preventative measure to minimize the chance of data theft, researchers said.

More details on the attack and way to prevent it can be obtained from Unit 42.

Photo: 22174859@N00/Flickr