Story image

New Sofacy attacks against US government agency

15 Jun 16

Article by Robert Falcone and Bryan Lee, Palo Alto Networks analysts

The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the Ministry of Foreign Affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks.

The Delivery

nalysis of the attack revealed a high likelihood that the sender’s email address was not spoofed and is instead a result of a compromised host or account belonging to that Ministry.

The targeted email had a subject of “FW: Exercise Noble Partner 2016”, which is a reference to a joint NATO training effort between the United States and Georgia. The email contained an RTF file as an attachment, with the filename “Exercise_Noble_Partner_16.rtf,” reflecting the same training exercise.

The RTF file is a weaponized document that attempts to exploit CVE-2015-1641 to drop two files to the system, specifically, “btecache.dll” and “svchost.dll”. The “btecache.dll” file is a Trojan that loads and executes “svchost.dll”, which is a Carberp variant the Sofacy Trojan. Surprisingly, unlike many other espionage actors who display decoy documents after successful exploitation, this RTF document does not drop or open a decoy document after exploiting the vulnerability.

In the installation process, we observed the delivery document creating a very interesting registry key that it uses for persistence to run the Trojan. The path to the “btecache.dll” file is added to the following registry key:

Software\Microsoft\Office test\Special\Perf\: “C:\Users\[username]\AppData\Roaming\btecache.dll”

This registry key is interesting, because unlike traditional methods of maintaining persistence, it does not automatically run the “btecache.dll” file at system start up. Instead, this registry key will cause the DLL to load only when the user opens any Microsoft Office application, such as Word or Excel. An added benefit for the threat actor to using this specific tactic for persistence is that it requires user interaction to load and execute the malicious payload, which can cause challenges for detection in automated sandboxes.

The Carberp variant of Sofacy

The “btecache.dll” file is the loader Trojan that is responsible for loading the “svchost.dll” DLL and executing it. Both the “btecache.dll” and “svchost.dll” files contain code from the leaked Carberp source code, specifically the API resolution functions, as well as the RC2 key. The Sofacy group has used the Carberp source code in the past, specifically discussed in a blog by F-Secure, which is the reason we call this Trojan the Carberp variant.

The Trojan delivered in this attack contains two network locations that it will send network beacons to, specifically “” and “”. These beacons are sent to the legitimate website as an attempt to hide the true C2 beacons sent to the actual C2 server hosted at  The network beacons are sent using HTTP POST requests with URLs created largely with random characters.

The clear text of the data sent in the network beacons contains information regarding the compromised system, as well as malware-specific information. The data is comprised of the following fields of data:

id = The serial number of the storage device

w = This parameter (whose name ‘w’ could change to any character between samples) begins with a one byte value denoting the OS version followed by a one byte value for the CPU architecture. These values are immediately followed by a new line delimited list of running processes on the system.

disk = The name of the system’s hard drive, obtained from the registry key “SYSTEM\CurrentControlSet\Services\Disk\Enum\0”

build = The hardcoded build identifier for the Trojan version

inject = If the Trojan injected its code into other processes to interact with the C2 server

This callback data allows the threat actors to determine if the infected machine is a target of interest, as the beacon contains a list of running processes and the name of the storage device that could be used to filter out analysis systems or researchers. If the actors believe the system is of interest, they will respond to these network beacons to download and execute additional secondary payloads on the system. The Trojan parses the response to the beacons for two actions “Execute” and “Delete” between the tags “[file]” and “[/file]”, as well as settings labeled “FileName”, “PathToSave”, “Rundll” and “IP” between the tags “[settings]” and “[/settings]”. This allows the threat actors to download additional files to the system, execute both executables and DLLs and delete files.


The Sofacy group continues its attack campaigns on government organizations, specifically the U.S. government in this latest spear-phishing example. The threat group added a new persistence mechanism that requires user interaction by loading its payload into Microsoft Office applications when opened, which may help the actors to evade detection. The use of this new persistence method shows the continued development of tactics and techniques employed by this threat group, often times in clever ways as we observed in this instance.

Palo Alto Networks customers are protected from the new Sofacy Carberp variant.

Article by Robert Falcone and Bryan Lee, Palo Alto Networks analysts

Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”
Malware downloader on the rise in Check Point’s latest Threat Index
Organisations continue to be targeted by cryptominers, despite an overall drop in value across all cryptocurrencies in 2018.
IoT breaches: Nearly half of businesses still can’t detect them
The Internet of Thing’s (IoT’s) rapid rise to prominence may have compromised its security, if a new report from Gemalto is anything to go by.
Carbon Black: What does cybersecurity have in store for 2019?
Tom Kellerman has shared five insights for the year ahead, including a particularly bold one.
Hands-on review: The Ekster Wallet protects your cards against RFID attacks
For some time now, I’ve been protecting my credit cards with tinfoil. The tinfoil hat does attract a lot of comments, but thanks to Ekster, those days are now happily behind me.