APT28 Hackers Spreads Malware into NYC Terror Attack Documents

Latest APT28 Malware Uses Microsoft Office DDE Vulnerability

APT28 hackers image

The APT28 hacking group, also known as Fancy Bear, has initiated a global attack campaign using infected documents that refer to the recent terrorist attacks in New York. The criminal collective is using a recent vulnerability affecting a component of Microsoft Office products called DDE (Dynamic Data Exchange).

APT28 Hacker Campaign Takes Advantage of the NYC Terror Attacks

Computer security researchers uncovered a new global campaign operated by the APt28 hacking group. This criminal collective is widely known for having a very deep understanding of cybersecurity and has made headlines numerous times. One of their most famous breaches is an an intrusion last year in the Democratic National Committee following the American presidential elections.

This time the group is using the strategy of creating large sets of email messages that are sent to the victims. They feature social engineering tactics which manipulate the victims into interacting with them. Providing documents or files of interest to the victims is one of the most widely used and dangerous methods of instituting malware.

It is believed that the messages may have recently been sent to military personnel in France or Germany. This is based on several sightings of similar activity by the group according to security reports done by specialists that track their movement. At the moment the available information shows that the current targets are European users. The researchers point ut that the document “theme” from a recent malware campaign is called “SabreGuardian” which is a direct reference to operations of the American army in Europe.

APT28 seems to be employing the strategy of taking advantage of breaking news and stories that have a large impact. The campaign that has the latest concerns uses titles that refer to the recent terrorist attacks in New York City. The fact that they have been sent to people in Europe shows that it is possible that the hackers pretend to be a news source, informant or another type of provider.

The researchers note that the messages use various titles and addresses to fool the targets into opening them. Surprisingly the body text is empty and the targets will find documents of different types attached directly. They may be either rich text documents, presentations, spreadsheets or another popular file. If they continue further with interaction a dangerous viral infection follows.

Related Story: Old Microsoft Office Feature Can Be Used to Launch Virus Attacks

APT28 Malware Leverahes Microsoft Office DDE Vulnerability

APT28 uses an old Microsoft Office feature called Dynamic Data Exchange (DDE) which is still being utilized by parts of the suite. While many newer technology implementations have since become the standard, the DDE module is still retained and active by default even on the newer Microsoft Office releases. It has originally been used by the company to allow its users to easily place data from one document to another via code injection. This is a very useful component when it comes to dynamically updating data fields in documents located on a network share.

As convenient as it may sound, the DDE feature can easily be abused by the criminals to launch scripts and commands on the victim computer. Last year another criminal group utilized a DDE attack which not only resulted in a successful intrusion, but also bypassed anti-virus protection mechanism. This is done through PowerShell scripts which allow the attackers to execute arbitrary code placed by the hackers.

The sighted APT28 attacks are successful even if the macros are disabled. The primary malicious document which is being sent to the targets is called “IsisAttackInNewYork.docx” and its date of creation is 2017-10-27T22:23:00Z. Once the victims open it a series of dangerous commands follows.

  1. Initial Malware Deployment ‒ The first action downloads the Seduploader malware from a remote location. This is a hacker-controlled server which can host a multitude of threats that can be dynamically altered depending on the intended goals.
  2. The dangerous component is a first-stage reconnaissance tool which is able to extract a multitude of data from the victim machines. Profiling the machines is an important step which is able to categorize the targets by the system.
  3. Further Malware Infection ‒ Depending on the results and the built-in instructions the machines can be infected with different threats.

As it seems the APT28 hacking group is using a rather sophisticated approach by combining a pervasive infection methodology, proven social engineering tricks and an array of different malware strains as a result of the intrusion.

Impact and Consequences of the APT28 Malware Campaign

The APT28 hackers distribute the dangerous files targeting not just end users, but also sensitive personnel. The security researchers note that while the current campaign is probably targeting military officers in Europe at the same time the attacks can be employed against corporate users. Such strategies are widely used against end users when implanting advanced forms of ransomware.

The dangerous consequences that are related to the made intrusions is that it it is speculated that sensitive networks have been impacted. Furthermore the dynamic code allows for the hacker operators to either automatically or manually selecting the most appropriate malware. Combined with the fact that the initial infection extracts a lot of detailed information on the compromised machine, as well as the network.

We strongly recommend that all users employ a quality anti-spyware solution. It is able to remove active infections of all kinds of viruses, Trojans and browser hijackers and delete them via a few mouse clicks.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...