The Sofacy group, also known as APT28, is a well-known threat group that frequently conducts cyber espionage campaigns. Recently, Unit 42 identified a spear phishing e-mail from the Sofacy group that targeted the United States government. The e-mail was sent from a potentially compromised account belonging to the Ministry of Foreign Affairs of another government entity and carried the Carberp variant of the Sofacy Trojan. The developer implemented a clever persistence mechanism in the Trojan, one which had not been observed in previous attacks.
nalysis of the attack revealed a high likelihood that the sender's email address was not spoofed and is instead a result of a compromised host or account belonging to that Ministry.
The targeted email had a subject of “FW: Exercise Noble Partner 2016”, which is a reference to a joint NATO training effort between the United States and Georgia. The email contained an RTF file as an attachment, with the filename “Exercise_Noble_Partner_16.rtf,” reflecting the same training exercise.
The RTF file is a weaponized document that attempts to exploit CVE-2015-1641 to drop two files to the system, specifically, “btecache.dll” and “svchost.dll”. The “btecache.dll” file is a Trojan that loads and executes “svchost.dll”, which is a Carberp variant the Sofacy Trojan. Surprisingly, unlike many other espionage actors who display decoy documents after successful exploitation, this RTF document does not drop or open a decoy document after exploiting the vulnerability.
In the installation process, we observed the delivery document creating a very interesting registry key that it uses for persistence to run the Trojan. The path to the “btecache.dll” file is added to the following registry key:
Software\Microsoft\Office test\Special\Perf\: “C:\Users\[username]\AppData\Roaming\btecache.dll
This registry key is interesting, because unlike traditional methods of maintaining persistence, it does not automatically run the “btecache.dll” file at system start up. Instead, this registry key will cause the DLL to load only when the user opens any Microsoft Office application, such as Word or Excel. An added benefit for the threat actor to using this specific tactic for persistence is that it requires user interaction to load and execute the malicious payload, which can cause challenges for detection in automated sandboxes.
The Carberp variant of Sofacy
The “btecache.dll” file is the loader Trojan that is responsible for loading the “svchost.dll” DLL and executing it. Both the “btecache.dll” and “svchost.dll” files contain code from the leaked Carberp source code, specifically the API resolution functions, as well as the RC2 key. The Sofacy group has used the Carberp source code in the past, specifically discussed in a blog by F-Secure, which is the reason we call this Trojan the Carberp variant.
The Trojan delivered in this attack contains two network locations that it will send network beacons to, specifically “google.com” and “126.96.36.199”. These beacons are sent to the legitimate website google.com as an attempt to hide the true C2 beacons sent to the actual C2 server hosted at 188.8.131.52. The network beacons are sent using HTTP POST requests with URLs created largely with random characters.
The clear text of the data sent in the network beacons contains information regarding the compromised system, as well as malware-specific information. The data is comprised of the following fields of data:
id = The serial number of the storage device
w = This parameter (whose name ‘w' could change to any character between samples) begins with a one byte value denoting the OS version followed by a one byte value for the CPU architecture. These values are immediately followed by a new line delimited list of running processes on the system.
disk = The name of the system's hard drive, obtained from the registry key “SYSTEM\CurrentControlSet\Services\Disk\Enum\0
build = The hardcoded build identifier for the Trojan version
inject = If the Trojan injected its code into other processes to interact with the C2 server
This callback data allows the threat actors to determine if the infected machine is a target of interest, as the beacon contains a list of running processes and the name of the storage device that could be used to filter out analysis systems or researchers. If the actors believe the system is of interest, they will respond to these network beacons to download and execute additional secondary payloads on the system. The Trojan parses the response to the beacons for two actions “Execute” and “Delete” between the tags “[file]” and “[/file]”, as well as settings labeled “FileName”, “PathToSave”, “Rundll” and “IP” between the tags “[settings]” and “[/settings]”. This allows the threat actors to download additional files to the system, execute both executables and DLLs and delete files.
The Sofacy group continues its attack campaigns on government organizations, specifically the U.S. government in this latest spear-phishing example. The threat group added a new persistence mechanism that requires user interaction by loading its payload into Microsoft Office applications when opened, which may help the actors to evade detection. The use of this new persistence method shows the continued development of tactics and techniques employed by this threat group, often times in clever ways as we observed in this instance.
Palo Alto Networks customers are protected from the new Sofacy Carberp variant.
Article by Robert Falcone and Bryan Lee, Palo Alto Networks analysts