New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Fancy Bear Found to be Utilizing New Malware

A new trojan, dubbed Cannon, has been found starting in late October and running through the first half of November in a spear phishing campaign being run by Fancy Bear.  The Cannon Trojan is introduced to target systems through infected Word documents which trick the user into allowing malicious macros to be run.  So far, the campaign has targeted government organizations in North America, Europe, and a currently-unnamed former Soviet State.  The group is using current events to lure targets into opening the Word document which is titled “crash list (Lion Air Boeing 737).docx” referencing the Lion Air crash which happened in the Java Sea on October 29th of this year.  If the c2 server for the trojan is unavailable it will not launch. However if the server is available upon opening the Word document, a message from Word will be displayed stating that the document was created using an older version of Word and request that the user enable content in order to view it.  This does not fully execute the malicious macro, however. The trojan also uses the auto-close function as a form of anti-analysis by preventing some code from running until just before Word exits to protect it from being detected by any automated sandboxes which may be present on the system.  The trojan also utilizes email communications when sending and receiving communications to decrease the likelihood of detection. Palo Alto listed out the 16 steps that the trojan goes through as it communicates with the attackers.

  1. Cannon gathers system information and saves it to a file named ini. The Trojan sends an email to sahro.bella7[at]post.cz with i.ini as the attachment, S_inf within the body and a subject with a unique system identifier via SMTPS from one of the following accounts:
    • Bishtr.cam47
    • Lobrek.chizh
    • Cervot.woprov
  2. Cannon takes a screenshot and saves it to a file named ops. The Trojan sends an email to sahro.bella7[at]post.cz with sysscr.ops as the attachment, the string SCreen within the body and a subject with the unique system identifier via SMTPS from one of three previously used accounts.
  3. The actors likely log into sahro.bella7[at]post.cz and process the system information and screenshot sent by the Trojan to determine if the compromised host is of interest. If the actor wishes to download an additional payload to the compromised host, they will respond by sending emails in the following steps.
  4. The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a secondary email account and credentials in ASCII hexadecimal format within the message body. This secondary email account is unknown at this time, so we will refer to it as “secondary email account” in future steps.
  5. The actor sends an email to the secondary email account with the unique system identifier as a subject with a secondary payload attached with a filename of txt.
  6. Cannon logs into the trala.cosh2[at]post.cz account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the secondary email account.
  7. Cannon acknowledges the receipt of the secondary email address by sending an email to sahro.bella7[at]post.cz with s.txt (contains {SysPar = 65} string) as the attachment, ok within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.
  8. The actor sends an email to trala.cosh2[at]post.cz with the unique system identifier as a subject with a file path that the Cannon Trojan will use to save the secondary payload.
  9. Cannon logs into the secondary email account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and saves the attachment named auddevc.txt.
  10. Cannon acknowledges the receipt of file download by sending an email to sahro.bella7[at]post.cz with l.txt(contains 090 string) as the attachment, ok2 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.
  11. Cannon logs into the trala.cosh2[at]post.cz account via POP3S looking for emails with a subject that matches the unique system identifier. Cannon opens the email with the correct subject and decodes the hexadecimal data in the body of the message to obtain the file path that it will use to move the downloaded auddevc.txt file.
  12. Cannon acknowledges the receipt of file path by sending an email to sahro.bella7[at]post.cz with s.txt (contains {SysPar = 65} string) as the attachment, ok3 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.
  13. Cannon moves the downloaded file to the specified path.
  14. Cannon acknowledges the successful move by sending an email to sahro.bella7[at]post.cz with l.txt (contains 090string) as the attachment, ok4 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.
  15. Cannon runs the downloaded file from the specified path.
  16. Cannon acknowledges the successful execution by sending an email to sahro.bella7[at]post.cz with s.txt (contains {SysPar = 65} string) as the attachment, ok5 within the body and a subject with the unique system identifier via SMTPS from one of the three accounts from Step 1.

Analyst Notes

No obfuscation was seen in the coding of this malware which could possibly indicate that the group was attempting to get the malware released quickly after the crash of the Lion Air 737. It is not uncommon for attackers to utilize significant world events when carrying out targeted attacks of this kind. The first instances of the Cannon Trojan were seen almost immediately following the attack which could indicate that the group possibly forewent