A new malware variant,labelled the Cannon Trojan, is being implemented in targeted attacks on government agencies in the United States and Europe. This malware threat has been strongly connected to a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has connections to the Russian government.
The Cannon Trojan is being used to collate data on potential targets, collecting system information and capturing screenshots that are sent back to APT28. The Cannon Trojan is also an installer capable of installing further malware variants onto an impacted system.
This recently-detected malware threat is stealthy and uses a mix of tricks to prevent detection and hide communications with its C2. Rather than communicating over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates through email over SMTPs and POP3S.
Once downloaded, an email is shared over SMTPS through port 465 and an additional two email addresses are obtained through which the malware sends with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 has been seen previously, it is relatively unusual. One benefit offered by this method of communication is it is more difficult to identify and block that HTTP/HTTPS.
The Cannon Trojan, like the Zebrocy Trojan which is also being implementing using APT28, is being shared through spear phishing emails. Two email templates have been intercepted by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in news about the Lion Air plane crash in Indonesia.
The Lion Air spear phishing campaign looks like it is providing updates on the victims of the crash, which the email claims are detailed in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must Enable Content to see the contents of the document. It is claimed that the document was set up in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would let the macro run, which would then silently install the Cannon Trojan.
Instead of the macro running and installing the payload straightaway, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to delete completion of the macro routine until the document is closed. Only then is the Trojan installed. Any sandbox that reviews the document and exits before closing the document would be unlikely to see it as malicious. In addition, the macro will only run if a link with the C2 is created. Even if the document is opened and content is allowed, the macro will not run without its C2 channel open.
The methods used by the hackers to obfuscate the macro and hide communications make this threat difficult to spot. The key to spotting infection is blocking the threat at source and stopping it from reaching inboxes. The provision of end user assistance to allow employees identify threats such as emails with attachments from unknown senders is also crucial.