APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

A new spear-phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government agencies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first known in late October.

The campaign is being carried out through spam electronic mail and uses weaponized Word document to deliver two malware variations. The first, the Zebrocy Trojan, has been used by APT28 in earlier campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It serves as a downloader and backdoor and is used to send more malevolent payloads to systems of interest to the group.

Unit 42 scientists also identified a second Trojan. A new malware variation named the Cannon Trojan. Although Zebrocy uses HTTP/HTTPS for its C2 communications, the Cannon Trojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The Cannon Trojan is used to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of importance, the Cannon Trojan can download extra malevolent code.

One of the electronic mail campaigns uses the current Lion Air plane accident as the attraction to get users to open the malevolent Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

Upon opening the document, the user is presented with a message stating the document has been generated using an earlier type of Word. The user should click on Enable Content to show the matters of the file. The macro will only be loaded if a link to its C2 exists. If no link is available, the macro will not run.

Provided there is a C2 link, the macro is launched. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign uses the AutoClose function to delay the complete execution of the malevolent code. It’s only when the user closes the document that the macro will complete and the payload will be downloaded.

The CannonTrojan initially sends a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam then communicates with two additional attacker-controlled electronic mail accounts over POP3S, through which it gets its commands. Because of the level of encryption delivered by both SMTPS and POP3S, the C2 channel is tough to obstruct.