Two zero-days were packaged in a Word attachment used in a Fancy Bear phishing campaign.
Two zero-days were packaged in a Word attachment used in a Fancy Bear phishing campaign.

Researchers at ESET have uncovered evidence pointing the finger at the notorious Sednit group (aka Fancy Bear, APT28 and Sofacy) as the culprits behind a phishing email campaign leading up to the presidential election in France earlier this month.

According to a report on the company's We Live Security blog, the attackers – well known for stealing information from various targets – allegedly targeted Emmanuel Macron, who ultimately won the election, with a series of phishing emails containing an attachment titled Trump's_Attack_on_Syria_English.docx.

The researcher's analysis detected that the Microsoft Word document had a reconnaissance tool, Seduploader, which delivers a downloader payload used previously by Sednit as reconnaissance malware. A spying backdoor, like Sedreco or Xagent, can then be initiated.

"To achieve this, Sednit used two zero-day exploits: one for a Remote Code Execution vulnerability in Microsoft Word (CVE-2017-0262) and one for a Local Privilege Escalation in Windows (CVE-2017-0263)," the report explained.

The flaws were patched by Microsoft as part of a regularly scheduled Patch Tuesday after ESET alerted them.

Using text from an actual article related to President Trump's attack on Syria, the attachment in the spearphishing email is actually a decoy to dupe recipients into clicking on the malicious attachment, which will deliver the first-stage payload.

The ESET team found the next step particularly interesting: The doc comes loaded with two new zero-day exploits enabling the install of Seduploader. Should a recipient click on the attachment, CVE-2017-0262, a vulnerability in Office's EPS filter, is launched.

The EPS exploit file is obfuscated and, once decrypted, performs a memory corruption and loads shellcode which retrieves undocumented Windows APIs .

After further decryption, the Seduploader Dropper is then loaded and executed, consisting of two components: a dropper and a persistent payload, the researchers said.

The code has evolved from previous versions, the researchers found. While previous hashing algorithms bared similarities to code used in Carberp, the new iteration appropriated code from PowerSniff.

What the ESET team surmises from its analysis is that the attackers continue to evolve their tactics – employing two new zero-days, for example – while still retaining use of known attack methods, such as reusing code from other malware or publicly available websites.

These two exploits show once again the kind of financial resources and/or technical expertise to either purchase the exploits or develop them directly, Alexis Dorais-Joncas, security intelligence team lead at ESET, told SC Media on Thursday.

"Based on Zerodium prices, those two zero-days exploits combined could be worth up to $70,000," he said. "If you look at the economics of this attack, it means Sednit expected that the value of the compromised targets and the information that can eventually be stolen from them has a higher value than the value of the zero-days they burned."

When asked what specifically the attackers are after, Dorais-Joncas said Sednit is mostly interested in stealing confidential information from various targets usually related to geopolitics. "We have no reason to believe this attack had different motives."

And, when asked what evidence the ESET team had to ascribe the campaign to Sednit, he responded that the whole TTP her team observed in this attack is consistent with the known characteristics of the group. "But the stronger indication in this case is the use of an updated version of Seduploader, which is a tool that belongs to their toolkit."

This campaign carries on from previous iterations using similar coding, he added. "The change they made to Seduploader is mostly maintenance and addition of some basic features, nothing groundsbreaking," he said

There are some differences in the delivery mechanism, however. "What differs is the use of these two new zero-day exploits," Dorais-Joncas told SC Media. "It is an indication that this campaign may have been more important for Sednit than others where no zero-day exploits are used."

ESET is monitoring Sednit's activities constantly to better understand their evolution and better protect its customers from such attacks, he concluded.