A newly-identified malware variant, labelled the Cannon Trojan, is being deployed in targeted attacks on government agencies in the United States and Europe. The new malware strain has been connected with a threat group known under many names – APT28, Fancy Bear, Sofacy, Sednet, Strontium – that has links to the Russian government.
The Cannon Trojan is being used to collate data regarding possible targets, collecting system information and taking screenshots that are returned sent back to APT28. The Cannon Trojan is also a downloader capable of downloading additional malware variants onto an infiltrated system.
The new malware strain is stealthy and uses a variety of tricks to prevent detection and hide communications with its C2. Rather than sharing via over HTTP/HTTPS, like other malware variants used by APT28, the Cannon Trojan communicates using email over SMTPs and POP3S.
Once downloaded, an email is sent over SMTPS through port 465 and an additional two email addresses are obtained through which the malware communicates with its C2 using the POP3S protocol to receive instructions and send back data. While the use of email for communicating with a C2 has been seen before, it is relatively unusual One advantage provided by this method of communication is it is more difficult to identify and tackle that HTTP/HTTPS.
The Cannon Trojan, like the Zebrocy Trojan which is also being shared by APT28, is being shared using spear phishing emails. Two email templates have been tracked by Palo Alto Networks’ Unit 42 team, one of which takes advantage of interest in the Lion Air plane crash in Indonesia.
The Lion Air spear phishing campaign seems to supply data on the victims of the crash, which the email claims are included in an attached Word document titled Crash List (Lion Air Boeing 737).docx. The user must ‘Enable Content’ to look at the contents of the document. It is alleged that the document was created in an earlier version of Word and content must be turned on for the file to be displayed. Opening the email and enabling content would allow the macro to run, which would then silently install the Cannon Trojan.
Instead of the macro running and installing the payload straightaway, as an anti-analysis mechanism, the hackers use the Windows AutoClose tool to delay completion of the macro routine until the document is closed. Only then is the Trojan installed. Any sandbox that analyzes the document and exits before closing the document would be unlikely to see that it is malicious. Further, the macro will only run if a connection with the C2 is created. Even if the document is opened and content is turned on, the macro will not run without its C2 channel open.
The tactics deployed by the hackers to obfuscate the macro and hide communications make this threat difficult to spot. The key to blocking infection is blocking the threat at source and stopping it from reaching inboxes. The provision of end user training to help staff identify threats including emails with attachments from unknown senders is also important.
Enhance Security Against Zero-Day Malware & Spear Phishing
TitanHQ has created a strong anti-phishing and anti-spam solution that is effective at tackling advanced constant threats and zero-day malware, which does not depend on signature-based detection methods. While combined anti-virus engines offer security from against 100% of known malware, unlike many other spam filtering solutions, SpamTitan uses a range of predictive techniques to identify previously unseen threats and spear phishing attacks.
Greylisting is used to find domains used for spamming that have yet to be blacklisted. All incoming emails undergo a Bayesian analysis, and heuristics are used to spot new threats.
To additionally safeguard against phishing attacks, URIBL and SURBL protocols are used to scan embedded hyperlinks. SpamTitan also scans outbound mail to stop abuse and identify efforts at0 data theft.
For further information on SpamTitan, to book a product demonstration, or to sign up for a free trial of the full product, contact the TitanHQ team now.