APT28 Group Utilizes New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

November 25, 2018


A new spear phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government companies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first recognized in late October.

The campaign is being carried out through spam electronic mail and uses weaponized Word document to supply two malware variations. The first, the Zebrocy Trojan, has been utilized by APT28 in earlier campaigns and was first recognized in 2015. The main objective of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It works as a downloader and backdoor and is utilized to deliver more malevolent payloads to systems of interest to the group.

Unit 42 scientists also recognized a second Trojan. A new malware variation dubbed the Cannon Trojan. Although Zebrocy utilizes HTTP/HTTPS for its C2 communications, the Cannon Trojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The Cannon Trojan is utilized to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of interest, the Cannon Trojan can download additional malevolent code.

One of the electronic mail campaigns uses the latest Lion Air plane accident as the enticement to get users to open the malevolent Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

Upon opening the document, the user is offered with a message saying the document has been generated using an earlier type of Word. The user should click on Enable Content to show the contents of the file. The macro will only be loaded if a link to its C2 exists. If no link is available, the macro will not run.

If there is a C2 link, the macro is started. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign utilizes the AutoClose function to adjourn complete execution of the malevolent code. It is only when the user closes the document that the macro will finish and the payload will be downloaded.

The Cannon Trojan primarily sends a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam, then connects with two more attacker-controlled electronic mail accounts over POP3S, through which it takes its orders. Because of the level of encryption provided by both SMTPS and POP3S, the C2 channel is tough to block.