June 14, 2016
Russian-linked cyber-espionage group sent a spear-phishing email to a US government official from an infected computer in the IT network of another country’s Ministry of Foreign Affairs.
The email contained an RTF document called Exercise_Noble_Partner_16.rtf, referring to a joint US-Georgian military exercise.
According to Palo Alto Networks, opening this file would trigger the CVE-2015-1641 exploit, that would download and place two DLL files (btecache.dll and svchost.dll) on the victim’s computer.
Security researchers claim that these two files load a Carberp variant of the Sofacy trojan used by the Sofacy cyber-espionage group. This group has affiliations to Russian military intelligence service GRU and is also known under names like Fancy Bear, APT28, Sednit, Pawn Storm, or Strontium.
Sofacy finds new method to launch malicious process
Palo Alto researchers said that there was something that caught their eye during this most recent Sofacy campaign. The group had apparently came up with a never-before-seen trick to gain persistence on infected devices.