A newly created malware variant, callede Cannon Trojan, is being used in focused attacks on government agencies in the United States and Europe. The new malware threat has been connected to a threat group known under many titles – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.

The Cannon Trojan is being used to gather data on potential targets, collatting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of loading further malware variants onto a compromised system.

The new malware threat is stealthy and uses a range of tricks to avoid detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.

Once downloaded, an email is shared through SMTPS through port 465 and another two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and share back data. While the use of email for communicating with a C2 is not unknown, it is relatively unusual. One advantage provided by this method of communication is it is more difficult to spot and block that HTTP/HTTPS.

The Cannon Trojan, like the Zebrocy Trojan which is also being used by APT28, is being shared via spear phishing emails. Two email templates have been captured by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.

The Lion Air spear phishing campaign seems to provide data on the victims of the crash, which the email claims are listed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would trigger the macro to run, which would then silently install the Cannon Trojan.

Instead of the macro running and downloading the payload immediately, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to slow the completion of the macro routine until the document is shut. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to view it as malicious. Further, the macro will only run if a link with the C2 is established. Even if the document is opened and content is enabled, the macro will not run without its C2 channel open.

The techniques employed by the hackers to obfuscate the macro and hide communications make this threat difficult to spott. The key to stopping infection is blocking the threat at source and preventing it from arriving at inboxes. The provision of end user training to assist employees identify threats such as emails with attachments from unknown senders is also vital.