Sofacy, the Russian-speaking APT group connected to interference in the 2016 U.S. presidential election, has been targeting researchers, admins and others interested in cybersecurity.
Cisco’s security research arm Talos published a report on Sunday describing a campaign linked to Sofacy, also known as Fancy Bear and APT 28 among other names, using a decoy document related to the CyCon U.S. conference as a lure.
CyCon is marketed as an international conference on cyber conflict organized by NATO’s Cooperative Cyber Defense Center of Excellence, which is scheduled for Nov. 7 and 8 in Washington, D.C.
According to Cisco’s analysis of command and control traffic to the attacker’s server at myinfestgroup[.]com, traffic to the domain peaked on Oct. 7, three days after the lure document was created.
Cisco said the connection to Sofacy rests in the use of a dropper called Seduploader, used in other campaigns by the APT group. The group, however, has opted not to use exploits in this particular campaign and is instead relying on a macro embeded in the lure document that grabs the dropper from the internet.
Source: Threat post