Cybersecurity workers, beware: A new malicious campaign is using a fake document advertising a security conference to infect security professionals’ machines, according to a Sunday report from Cisco Talos.
Cisco Talos tracked the campaign back to the infamous hackers known as Group 74 (and sometimes Tsar Team, Sofacy, APT28, or Fancy Bear)–a Russian hacking collective with links to the Kremlin, as ZDNet noted. The attack is particularly effective because its decoy document is from a real conference: The Cyber Conflict US conference organized by the NATO Cooperative Cyber Defence Centre of Excellence, which is taking place on November 7-8 in Washington, DC.
Cybersecurity workers received an email with an attached two-page Word document labeled “Conference_on_Cyber_Conflict.doc.” The fake flyer contains a malicious Visual Basic for Applications (VBA) macro. Previous campaigns from Group 74 included Office exploits or zero-day attacks, Cisco Talos researchers noted in their report.
SEE: IT leader’s guide to the threat of cyberwarfare (Tech Pro Research)
The VBA drops and executes a new variant of Seduploader–a spying malware that’s been used by Group 74 for years, researchers wrote, capable of taking screenshots, gathering data, executing code, and downloading files. It includes a dropper and a payload file that are modified to avoid detection.
The document included language from the conference’s website, as well as its logos, making it appear to be legitimate.
“Analysis of this campaign shows us once more that attackers are creative and use the news to compromise the targets,” Cisco Talos researchers wrote. “This campaign has most likely been created to allow the targeting of people linked to or interested by cybersecurity, so probably the people who are more sensitive to cybersecurity threats.”
It remains unknown why the group chose the VBA attack instead of another method, but it’s possible that they did not want to use any exploits, to ensure they remained viable for other operations, the researchers noted. “Actors will often not use exploits due to the fact that researchers can find and eventually patch these which renders the actors weaponized platforms defunct,” according to the report.
It’s likely that targeted, sophisticated attacks like this will continue to grow in the future. Business users should always take caution before opening email attachments, even if they appear to come from a legitimate source. For more tips to help protect yourself and your employees, click here.
The 3 big takeaways for TechRepublic readers
1. A new malware campaign from Russian hacking collective Group 74 is targeting cybersecurity professionals with a malicious Visual Basic for Applications (VBA) macro, according to a report from Cisco Talos.
2. The attackers are using a decoy Word document that appears to advertise for a real upcoming security conference in an attempt to breach users’ systems.
3. The campaign shows that attackers are getting more creative and sophisticated, using the news to compromise specific targets.