Russian advanced persistent threat group Sofacy has upped the ante in its campaign to compromise organizations with its “DealersChoice” Flash Player exploit tool, even after Adobe patched a zero-day Flash vulnerability that the tool was observed exploiting.
DealersChoice essentially creates a backdoor in infected machines through which the APT, also known as Fancy Bear, Pawn Storm, Sednit and Strontium, can establish persistence in networks and download additional malware. The tool features multiple layers, generating RTF documents that contain embedded OLE Word documents, that in turn contain an embedded Flash (.SWF) file with an ActionScript that produces additional .SWF files whose contents are designed to abuse flaws in Flash software.
Palo Alto Networks' Unit 42 threat research team discovered DealersChoice earlier this year, reporting last October that one of the tool's two known variants, DealersChoice.B, is programmed to download its malicious components from a remote command-and-control server. But at the time, the C&C server was not operational, preventing researchers from fully analyzing its behavior.
More recently, however, Unit 42 came across samples that successfully connected to one of two live, active servers, helping the researchers fill in more pieces to the puzzle, according to a new Palo Alto blog post on Thursday.
All of the latest samples collected were of the DealersChoice.B variety. This suggests that attackers may now favor this version over DealersChoice.A, which is a standalone variant – containing four embedded files and an ActionScript – that infects users with malicious shellcode all by itself, without the aid of a C&C server.
“The main difference is that Variant B is modular and thus more flexible,” said Bryan Lee, threat intelligence analyst at Palo Alto's Unit 42, in an interview with SC Media. “It allows the Sofacy group to serve exploit code on-demand without having to repackage the embedded Flash file with new exploit code for every attack.”
It makes sense that the attackers would prefer this method of distributing the malicious code, considering that Adobe in late October patched a key zero-day Flash vulnerability (CVE-2016-7855) that DealersChoice was seen actively exploiting in combination with a separate Microsoft vulnerability (CVE-2016-7255) that was patched in early November. The Adobe fix may have forced the APT to begin looking for other viable exploits that could be more conveniently delivered via a C&C connection rather than being built into the tool itself.
Same as the ones collected earlier this year, the more recent DealersChoice samples were distributed via spear phishing emails containing subject lines and decoy documents crafted to pique the interest of their recipients.
While the previous phishing emails largely targeted organizations in former Soviet nations including Ukraine, these latest examples could possibly indicate that the threat is spreading to new territories. Palo Alto that one document specifically targeted the Ministry of Defense of a country in Europe, while another targeted a Ministry of Foreign Affairs in a Central Asian country. Researchers also uncovered a document purportedly detailing the exploits of Turkish troops in Mosul, and another conveying a story about Lithuania and Norway agreeing to an arms deal.
Moreover, the change in status of DealersChoice's C&C servers allowed Palo Alto researchers to confirm their earlier theory that DealersChoice.B sends a beacon containing information about the infected machine to the server, so that the server can “fingerprint” the compromised device and choose the proper .SWF file with which to exploit the victim based on Flash version. "To that end, though, it was surprising that the attackers are not yet serving a macOS payload with DealersChoice, even though we have observed the existence of one..." said Lee.
Palo Alto researchers also determined that the C&C server may choose not to take action at all, depending on the machine's geolocation. For instance, one of the C&C servers did not respond to a request send from a VPN in California, but did deliver a malicious .SWF file and payload after receiving a request from a VPN in the Middle East.