APT28 Back in RussianDoll Attack Using Adobe, Windows Flaws

Written by

Security firm FireEye has discovered a recent targeted attack campaign likely to have been backed by the Kremlin which exploits zero day vulnerabilities in Adobe Flash and Microsoft Windows.

Operation RussianDoll, as it has been dubbed by the vendor, began on 13 April and has been spotted targeting a “specific foreign government organization.”

After studying its “technical indicators and command and control infrastructure,” FireEye believes it to be the work of a group known as APT28, which it unmasked in October 2014 as having probable state backing for its activities.

After being tricked into clicking on a malicious link, users will be taken to a website controlled by the group, the firm said.

An HTML/JS launcher page will then serve up a Flash exploit to trigger CVE-2015-3043, which Adobe actually patched last week.

Shellcode then downloads and runs an executable payload to exploit a Windows local privilege escalation vulnerability (CVE-2015-1701) to steal a System token.

Although the Adobe flaw has been patched, Microsoft has yet to issue one for the Windows vulnerability.

The target firm is an “international government entity” in an industry which APT28 is known to have targeted in the past, said FireEye.

The attack also uses a malware variant that shares characteristics with APT28 backdoors.

The security vendor explained:

“CHOPSTICK and CORESHELL malware families, both described in our APT28 whitepaper. The malware uses an RC4 encryption key that was previously used by the CHOPSTICK backdoor. And the C2 messages include a checksum algorithm that resembles those used in CHOPSTICK backdoor communications. In addition, the network beacon traffic for the new malware resembles those used by the CORESHELL backdoor. Like CORESHELL, one of the beacons includes a process listing from the victim host. And like CORESHELL, the new malware attempts to download a second-stage executable.”

C2 locations for RussianDoll also match known or suspected APT28 domains, the firm said.

APT28 was unmasked last year has having been in operation since 2007.

It is known for using relatively sophisticated malware which is designed to hamper reverse engineering techniques used by the white hats.

What’s hot on Infosecurity Magazine?