Application security, Threat Management, Threat Intelligence, Incident Response, Malware, Network Security, Phishing, TDR

Russian APT’s DealersChoice exploit tool is a raw deal for Flash users

Russian advanced persistent threat group Sofacy has another ace up its sleeve: a Flash Player exploit tool, dubbed DealersChoice, that in some ways resembles a Russian nesting doll.

Discovered by Palo Alto Networks' Unit 42 threat research team, the tool generates RTF documents that contain embedded OLE Word documents, that in turn contain an embedded Adobe Flash (.SWF) file with an ActionScript that produces additional .SWF files whose contents are designed to abuse flaws in Flash software. The purpose of these files-within-files-within-files is essentially to create a backdoor, allowing the APT group – also known as Fancy Bear – to compromise the victim's machine and download additional malware.

“The multiple layers were interesting, just because it adds an extra layer of obfuscation and anti-analysis,” said Robert Falcone, a Palo Alto threat intelligence analyst, in an interview with “There are multiple layers you have to peel apart to ultimately get to the malicious content itself… It takes a lot more effort to analyze.”

In two separate incidents taking place last Aug. 15 and 16, DealersChoice delivered a malicious Flash file to a Ukrainian defense contractor, and also to a Ministry of Foreign Affairs in a nation-state based in the same region, according to a Palo Alto blog post Monday. Both attacks originated from spear phishing emails that were crafted with their targets in mind; for instance, the one targeting the Ukrainian contractor purportedly offered information on a possible Russian invasion and featured a spoofed sender address that appeared to belong to the European Parliaments Press Unit.

Clicking the attachment in these emails would open up a decoy document designed to keep the user occupied while the exploit tool does its underhanded work.

Palo Alto observed two distinct variants of the embedded SWF files, DealersChoice.A and DealersChoice.B. The former and likely original version contains four embedded files and an ActionScript, which upon execution infects users with malicious shellcode all by itself. Version B, on the other hand, connects to a command-and-control server to download the components necessary to exploit the victim's systems.

In either case, the APT – one of two linked to the Democratic National Committee hack – checks the version of Flash installed on the user's machine to make sure one of its exploit codes will be able to compromise the software. If the version has no exploitable flaw, the malware won't execute. Version B does this by communicating certain machine information to its C&C server; however, as of the report's publishing, the server was not operational. Palo Alto researchers also have a working theory that a live operational server would check the machine's operating system, which would likely mean that version B works on multiple OS platforms.

Palo Alto researchers examined the DealersChoice.A payload and found it to be similar in nature to the Sofacy Trojan's Carberp variant (which borrows from the leaked Carberp botnet creation kit source code) and its Komplex variant for OS X systems. “It does show that they're able to build trojans for different environments but also share a core design,” said Falcone.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.