Fancy Bear use Adobe Flash vulnerability to attack European government agencies

Fancy Bear

The security company Palo Alto Networks threat intelligence unit Unit 42 said last week that they observed the Russian hacker group Fancy Bear (also known as Sofacy, Sednit, STRONTIUM, or APT28) on March 12th and March 14th. ) Attacks on European government agencies. Like previous attacks, the organization still uses the Flash exploit framework DealersChoice, but this time it uses an updated version.

As early as October 2016, Unit 42 made a preliminary analysis of the use of the skeleton exploiter DealersChoice used by the Fancy Bear. In the attack activity at the time, Unit 42 discovered Rich Text File (RTF) containing an embedded OLE Word document. The file, which also contains the embedded Adobe Flash (.SWF) file, shows that the purpose of the organization is to exploit Flash vulnerabilities instead of Microsoft Word vulnerabilities.

Unit 42 said that the new DealersChoice found this time uses a similar technique – to obtain malicious Flash objects from the C2 server, but the internal mechanism of the Flash object is significantly different from the original sample analyzed.

One of the differences is a particularly clever evasion technique that has never been seen before. For previous versions of DealersChoice, once the victim opened the lure document, its embedded Flash object would immediately load and start a malicious task. However, in recent activities, Flash objects are only loaded when the victim scrolls to a specific number of pages in the document embedded in the Flash object. In addition, the new DealersChoice needs multiple interactions with the C2 server to successfully use the end system.

Specifically, based on the success of the new DealersChoice attack, the following conditions must be satisfied:

    1. User must open the Microsoft Word email attachment
    2. User must scroll to page three of the document, which will run the DealersChoice Flash object
    3. The Flash object must contact an active C2 server to download an additional Flash object containing exploit code
    4. The initial Flash object must contact the same C2 server to download a secondary payload
    5. Victim host must have a vulnerable version of Flash installed

As mentioned at the beginning of the article, new attacks targeted European government agencies. The spear phishing e-mail is under the theme of “National Defense and Security 2018 Conference Agenda”, and the decoy file attached is called “Defense & Security 2018 Conference Agenda.docx”.

A Flash object containing ActionScript scripts is embedded on the third page of the document and is used to install malicious payloads using the victim system. The Flash object appears as a small black box in the document and even a cursory black dot. According to Unit 42, this is an anti-sandbox technique because it requires human interaction before the document shows any malicious activity.

In addition, the aforementioned ActionScript script seems to come from an open source video player called “f4player”. This player is shared for free on GitHub and is very small, only 10kb (with skin files).

In any case, it turns out that “Fancy Bear” still uses DealersChoice as its main attack weapon. Although they have modified the internal structure of malicious scripts, they still obtain malicious Flash objects and payloads directly from the C2 server. This has remained unchanged.

Unlike previous activities, the new DealersChoice has begun using DOCX as a lure document, adding mechanisms that require the victim to scroll to a specific number of pages in the document to trigger a malicious Flash object, and anti-sandbox techniques that require user interaction. This is a performance that the “Fancy Bear” has not seen before. It also shows that although the organization still relies on mature attack techniques, it is also making changes to increase its attack success rate.

Source, Image: paloaltonetworks