Russian advanced persistent threat group Sofacy has another ace up its sleeve: a Flash Player exploit tool, dubbed DealersChoice, that in some ways resembles a Russian nesting doll.

Discovered by Palo Alto Networks' Unit 42 threat research team, the tool generates RTF documents that contain embedded OLE Word documents, that in turn contain an embedded Adobe Flash (.SWF) file with an ActionScript that produces additional .SWF files whose contents are designed to abuse flaws in Flash software. The purpose of these files-within-files-within-files is essentially to create a backdoor, allowing the APT group – also known as Fancy Bear – to compromise the victim's machine and download additional malware.

“The multiple layers were interesting, just because it adds an extra layer of obfuscation and anti-analysis,” said Robert Falcone, a Palo Alto threat intelligence analyst, in an interview with “There are multiple layers you have to peel apart to ultimately get to the malicious content itself… It takes a lot more effort to analyze.”

In two separate incidents taking place last Aug. 15 and 16, DealersChoice delivered a malicious Flash file to a Ukrainian defense contractor, and also to a Ministry of Foreign Affairs in a nation-state based in the same region, according to a Palo Alto blog post Monday. Both attacks originated from spear phishing emails that were crafted with their targets in mind; for instance, the one targeting the Ukrainian contractor purportedly offered information on a possible Russian invasion and featured a spoofed sender address that appeared to belong to the European Parliaments Press Unit.

Clicking the attachment in these emails would open up a decoy document designed to keep the user occupied while the exploit tool does its underhanded work.

Palo Alto observed two distinct variants of the embedded SWF files, DealersChoice.A and DealersChoice.B. The former and likely original version contains four embedded files and an ActionScript, which upon execution infects users with malicious shellcode all by itself. Version B, on the other hand, connects to a command-and-control server to download the components necessary to exploit the victim's systems.

In either case, the APT – one of two linked to the Democratic National Committee hack – checks the version of Flash installed on the user's machine to make sure one of its exploit codes will be able to compromise the software. If the version has no exploitable flaw, the malware won't execute. Version B does this by communicating certain machine information to its C&C server; however, as of the report's publishing, the server was not operational. Palo Alto researchers also have a working theory that a live operational server would check the machine's operating system, which would likely mean that version B works on multiple OS platforms.

Palo Alto researchers examined the DealersChoice.A payload and found it to be similar in nature to the Sofacy Trojan's Carberp variant (which borrows from the leaked Carberp botnet creation kit source code) and its Komplex variant for OS X systems. “It does show that they're able to build trojans for different environments but also share a core design,” said Falcone.