The Sofacy group, also known as APT28 and Fancy Bear, has carried out an attack on an unnamed European government agency using an updated variant of DealersChoice.
Details of the attack, which have been published by Unit42 – part of Palo Alto Networks – describe the espionage group using doc.x files titled “Defence & Security 2018 Conference Agenda,” which appears to have been copied directly from the website for the “Underwater Defence & Security 2018 Conference.”
Back in October 2016, the security researchers published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which was documented in December 2016.
However, the attacks that took place on March 12 and 14 used a different variation of the spear-phishing attack, something not seen from Sofacy before.
Unlike in the fall of 2016, the Flash object in the document is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded in. Then the object contacts an active C2 server to download an additional Flash object containing exploit code.