Cybersecurity pros targeted in latest attack by Group 74
Cybersecurity pros targeted in latest attack by Group 74

The threat actor known as Group 74 has initiated a new campaign that uses a malicious Visual Basic for Applications (VBA) macro embedded in a document advertising the Cyber Conflict U.S. Conference (CYCON) to target people interested in cybersecurity issues.

The VBA injects and then executes a new variant of the reconnaissance malware Seduploader, which Group 74 is known to use, Cisco Talos reported. Group 74 is part of the same organization that also goes by aka Tsar Team, Sofacy, APT28 and Fancy Bear. The lure is an attached two-page Word document with the filename Conference_on_Cyber_Conflict that for added effect also contains the logo of the organizer and sponsor. 

Making this a particularly powerful piece of seduction is that CYCON is a legitimate conference being held Nov. 7-8, 2017 at the Ronald Reagan Building in Washington D.C. that is assembled by the U.S. Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence.  The document's content is nothing more than text cut and pasted from the conference's website.

Cisco Talos noted the document was created on October 4 and a spike in activity happened three days later.

“Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets. This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats,” Cisco Talos wrote.

In the past Group 74 used Seduploader to drop privilege escalation malware, but this attack only contains the persistence mechanism contained in two files, netwf.bat which executes the payload netwf.dll.

Once installed Sedupload can capture screenshots, act as a data/configuration exfiltration device, execute code and download files.

The fact that the attackers used scripting language embedded in an Office document to carry out the attack instead of a zero-day vulnerability indicates, Cisco Talos said, that the attacker wanted the malware to remain hidden. Exploits using a zero day run the risk of the vulnerability being found and patched thus rendering their malignant target inert.