A new cyber espionage campaign from the Russian APT group Fancy Bear has added some firepower in the form of a new malicious first-stage downloader tool called Cannon.

Cannon diverges from Fancy Bear’s (aka Sofacy, APT28) usual downloader trojan, Zebrocy, in that it leverages email protocols for C2 communication as opposed to HTTP or HTTPS. Palo Alto Networks’ Unit 42 division, whose researchers uncovered this development, theorized in a Nov. 20 blog post that this could an attempt to fly under the radar.

“This is not a new tactic but may be more effective at evading detection as the external hosts involved are a legitimate email service provider,” said the post, authored by researchers Robert Falcone and Bryan Lee. “Add the layer of encryption that the SMTPS [Simple Mail Transfer Protocol Secure] and POP3S [Post Office Protocol] protocols provide to the legitimate web-based service and you have a very difficult C2 channel to block.”

Unit 42 discovered Cannon while investigating a series of weaponized documents sent in a phishing campaign that took place in late October and early November. The campaign, which also distributed the more traditional Zebrocy trojan in some instances, targeted a variety of government entities in North America and Europe, as well as an unnamed country that was formerly part of the Soviet Union.

Two of the studied weaponized documents feature the author name “Joohn” and use a file name suggesting that they contain a list of victims from the Oct. 29 Lion Air crash.

If these documents are opened and the C2 server is active, Microsoft Word then loads a remote template containing a malicious macro that obtains the first-stage payload. However, in a sneaky twist, the macro abuses the AutoClose function so that the malicious code wouldn’t be executed until after the user closes the document. This tactic could potentially help the malware elude automated sandboxes that end their analysis sessions before the doc is closed, the blog explains.

One of these two weaponized docs was found targeting a government entity involved in foreign affairs, and was designed to ultimately download Zebrocy. The second document contained the previously unknown Cannon.

Written in Delphi, this particular Zebrocy variant reportedly sends system information and a JPEG-based screenshot of the victim host to the C2 server. The C2 server then delivers back a secondary payload that researchers determined to be functionally similar to Zebrocy.

Cannon is written in C#, but like Zebrocy it can gather system information, take screenshots and bring forth additional malware. “The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the blog said.