2 min

Tags in this article

, ,

Palo Alto Networks Unit 42 security researchers have found a new hack campaign targeting government agencies around the world. The campaign is from the Sofacy Group and uses a series of armed documents, reports Silicon Angle.

Government agencies worldwide are being attacked by the hack group. These include agencies in the United States, Europe and the former Eastern Bloc.

The armed documents were first detected in October. The documents load remote templates with a rogue macro. This is usually done via a Microsoft Word document. Once the macro is open, it downloads rogue payloads, such as the Zebrocy Trojan. That trojan had previously been linked to the Sofacy Group. A newly identified trojan, called Cannon, is also downloaded.

One of the documents uses the name “crash list (Lion Air Boeing 737).docx”. This name refers to the crash of a Lion Air Flight 610, which crashed outside Indonesian Jakarta on 29 October. “This is not the first time that such a grouping has used recent events as lure material, but it is interesting to see that this group is trying to misuse the attention of a catastrophic incident to carry out their attack,” said the researchers.

Another document seems to target a government agency dealing with foreign affairs in Europe. This document is distributed via spear-phishing, in which e-mails are sent on behalf of a friend in order to get people to reveal secret information. As soon as the user tries to open the document, Word immediately tries to load a remote template with a rogue macro and a payload from a location specified in the script.


Once the Zebrocy Trojan is installed, it collects specific information about the system. That information sends it to the command-and-server via an HTTP Post request to a predefined URL. Like other Zebrocy malware, the trojan also takes a screenshot of the victim as a JPG image.

Cannon, the second trojan, works mainly as a downloader that relies on emails to communicate between the trojan and the C&C server. “The overall goal of Cannon is to use various email accounts to send the information to the attackers and ultimately get a payload from an email from the attackers.

The payload is designed in such a way that it is difficult to detect it. The researchers therefore argue that it is important for organisations to take measures in advance to minimise the risk of data theft.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.