Hackers backed by the military intelligence agency of Russia are apparently targeting security researchers with their latest campaign, which uses a document advertising a cybersecurity conference in Washington D.C. as the lure.
Security researchers are being sent a document titled ‘Conference_on_Cyber_Conflict.doc’, containing information about the upcoming 2017 International Conference on Cyber Conflict U.S. (CyCon U.S.). While the conference is real, the document is not, reports ZD Net.
The real conference is being hosted by the US Army and NATO Cooperative Cyber Defence Centre of Excellence and will run from November 7 through 8 this year at the Ronald Reagan Building in Washington D.C. CyCon U.S. is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.
APT28 or Fancy Bear linked to Russia
Over the weekend, security researchers at Cisco Talos revealed that an operation called Group 74, or APT28 aka Fancy Bear (that was also responsible for the DNC hack last year), has “weaponized” a real Word document titled “Conference_on_Cyber_Conflict.doc” with malware.
The hackers used a variant of a malware called Setuploader, commonly used in espionage. “This is clearly an attempt to exploit the credibility of Army Cyber Institute and NATO CCDCOE in order to target high-ranking officials and experts of cybersecurity,” said a CCDCOE spokesperson.
Setuploader has the ability to take screenshots, extract data, execute code and download additional fake files, and more, according to the researchers. This points to the hackers wanting to steal information with the goal of espionage. One thing is different about this particular document – It doesn’t contain an Office exploit or a zero-day.
Instead, it uses a malicious Visual Basic for Applications (VBA) macro, designed to run code within the selected application — in this case, Microsoft Word. This shows the extent that some groups will go to in extracting information from a particular group, in this case, cybersecurity experts.
The Sunday report comes just a few days after Proofpoint’s report had suggested APT28 was actively leveraging a security exploit that was patched by Adobe last week, in hopes of infecting as many targets in government departments and aerospace companies as it could before the breach was discovered.