The advanced persistent threat group Fancy Bear continues its attacks on government entities all around the world using a two-stage payload malware campaign dropping the Zebroy Trojan and a new Trojan dubbed Cannon as discovered by Palo Alto Networks's Unit 42.
The malicious emails distributed through Fancy Bear's new malware campaign will drop the Zebrocy Trojan as a first stage payload and a new Trojan named Cannon as a second stage payload.
The email-based communication channel used by Cannon to communicate with its command-and-control (C&C) servers is the most exciting behavior observed by Unit 42 while analyzing the new Trojan.
Moreover, using emails to communicate with the puppet masters controlling it might allow Cannon to avoid detection since most malware these days make use of HTTP and HTTPS communication channels.
Asdiscovered by Unit 42, "The weaponized documents targeted several government entities around the globe, including North America, Europe, and a former USSR state."Cannon uses encryptedSMTPS and POP3S communication protocols for itsC2 channels
TheFancy Bear (also known asAPT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM Cannon Trojan uses theAutoClose function toprevent examination when landing in a malware analysis environment such as automated sandboxes by delaying the execution of the malicious code until the Word document used as an infection vector is closed.
Cannon works "primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587."
As unveiled during Unit 42's analysis, comes with multiple abilities from gaining persistence on the compromised machines and generating individual system-specific IDs for each of them to grabbing desktop snapshots, gathering system info, and logging into the victim's POP3 email accounts to send the data it collects to its masters.
Additionally, Cannon is also capable of downloading new payloads sent by the cyberespionage group and executing the downloaded payloads on the compromised machine.
UsingSMTPS and POP3S to communicate with its C&C servers makes the new Cannon Trojan a lot harder to detect given that the servers it uses to send and receive commands arelegitimate email service providers.