{ "Event": { "analysis": "0", "date": "2018-03-16", "extends_uuid": "", "info": "OSINT - Sofacy Uses DealersChoice to Target European Government Agency", "publish_timestamp": "1521231378", "published": true, "threat_level_id": "3", "timestamp": "1521231369", "uuid": "5aac24b9-0404-4877-8b3f-425e02de0b81", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#12e000", "local": "0", "name": "misp-galaxy:threat-actor=\"Sofacy\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:mitre-mobile-attack-intrusion-set=\"APT28\"", "relationship_type": "" }, { "colour": "#0088cc", "local": "0", "name": "misp-galaxy:microsoft-activity-group=\"STRONTIUM\"", "relationship_type": "" }, { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": "0", "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1521231188", "to_ids": false, "type": "link", "uuid": "5aac24cd-c348-4913-8e3c-46ad02de0b81", "value": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1521231188", "to_ids": false, "type": "text", "uuid": "5aac24df-8cac-4ae2-9f83-41fe02de0b81", "value": "Back in October 2016, Unit 42 published an initial analysis on a Flash exploitation framework used by the Sofacy threat group called DealersChoice. The attack consisted of Microsoft Word delivery documents that contained Adobe Flash objects capable of loading additional malicious Flash objects embedded in the file or directly provided by a command and control server. Sofacy continued to use DealersChoice throughout the fall of 2016, which we also documented in our December 2016 publication discussing Sofacy\u00e2\u20ac\u2122s larger campaign.\r\n\r\nOn March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice. The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed.\r\n\r\nOne of the differences was a particularly clever evasion technique: to our knowledge this has never been observed in use. With the previous iterations of DealersChoice samples, the Flash object would immediately load and begin malicious tasks. In the March attacks, the Flash object is only loaded if the user scrolls through the entire content of the delivery document and views the specific page the Flash object is embedded on. Also, DealersChoice requires multiple interactions with an active C2 server to successfully exploit an end system.\r\n\r\nThe overall process to result in a successful exploitation is:\r\n\r\n User must open the Microsoft Word email attachment\r\n User must scroll to page three of the document, which will run the DealersChoice Flash object\r\n The Flash object must contact an active C2 server to download an additional Flash object containing exploit code\r\n The initial Flash object must contact the same C2 server to download a secondary payload\r\n Victim host must have a vulnerable version of Flash installed" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "timestamp": "1521231103", "to_ids": true, "type": "sha256", "uuid": "5aac24ff-7354-4cea-8aaa-45e302de0b81", "value": "e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "timestamp": "1521231103", "to_ids": true, "type": "sha256", "uuid": "5aac24ff-3730-48fb-a4e5-4d8702de0b81", "value": "efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "timestamp": "1521231104", "to_ids": true, "type": "sha256", "uuid": "5aac2500-5ff8-4a87-9791-4b8f02de0b81", "value": "c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1521231189", "to_ids": true, "type": "domain", "uuid": "5aac250d-65a0-4c55-b1d1-4f2402de0b81", "value": "ndpmedia24.com" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "10", "timestamp": "1521231176", "uuid": "5aac2548-f190-4dbb-a63b-4fce02de0b81", "Attribute": [ { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1521231176", "to_ids": false, "type": "text", "uuid": "5aac2548-c6b4-4669-8216-453b02de0b81", "value": "DealersChoice" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1521231176", "to_ids": true, "type": "filename", "uuid": "5aac2548-78a0-4d93-8ece-4af402de0b81", "value": "Defence & Security 2018 Conference Agenda.docx" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1521231176", "to_ids": true, "type": "sha256", "uuid": "5aac2548-5448-40c9-b7d1-4a2c02de0b81", "value": "0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "state", "timestamp": "1521231176", "to_ids": false, "type": "text", "uuid": "5aac2548-0008-484f-ab63-462302de0b81", "value": "Malicious" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1521231192", "uuid": "fdbb06b0-985e-4623-b4be-6ff5a18d2bca", "ObjectReference": [ { "comment": "", "object_uuid": "fdbb06b0-985e-4623-b4be-6ff5a18d2bca", "referenced_uuid": "69bee5ff-3c03-4673-9b38-3569296560c7", "relationship_type": "analysed-with", "timestamp": "1521231198", "uuid": "5aac255e-359c-47dc-9177-4a3f02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1521231189", "to_ids": true, "type": "sha1", "uuid": "5aac2555-28b4-4cae-8ceb-47a902de0b81", "value": "7204be1059d404ecb81a20c89f9448f599aa9cfe" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1521231190", "to_ids": true, "type": "sha256", "uuid": "5aac2556-a95c-47ae-98e1-448b02de0b81", "value": "0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1521231190", "to_ids": true, "type": "md5", "uuid": "5aac2556-9d3c-471a-9c4e-400102de0b81", "value": "87d7c3096ae4167a19c10d0d204c4609" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1521231190", "uuid": "69bee5ff-3c03-4673-9b38-3569296560c7", "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1521231190", "to_ids": false, "type": "link", "uuid": "5aac2556-04d0-40d9-936b-44df02de0b81", "value": "https://www.virustotal.com/file/0cd9ac328d858d8d83c9eb73bfdc59a958873b3d71b24c888d7408d9512a41d7/analysis/1521229058/" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1521231191", "to_ids": false, "type": "text", "uuid": "5aac2557-6e04-4c31-a658-4f5002de0b81", "value": "7/60" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1521231191", "to_ids": false, "type": "datetime", "uuid": "5aac2557-299c-46a8-811e-45d102de0b81", "value": "2018-03-16T19:37:38" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1521231194", "uuid": "c7e2bc2b-9343-40a6-b68c-816c2d4d7233", "ObjectReference": [ { "comment": "", "object_uuid": "c7e2bc2b-9343-40a6-b68c-816c2d4d7233", "referenced_uuid": "0c6dc100-f189-4185-9795-0d947e5148f2", "relationship_type": "analysed-with", "timestamp": "1521231198", "uuid": "5aac255e-cda0-43d0-8c18-4af602de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1521231191", "to_ids": true, "type": "sha1", "uuid": "5aac2557-3678-4f25-a15d-479f02de0b81", "value": "169c8f3e3d22e192c108bc95164d362ce5437465" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1521231192", "to_ids": true, "type": "sha256", "uuid": "5aac2558-b0d8-4390-bf95-447c02de0b81", "value": "efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1521231192", "to_ids": true, "type": "md5", "uuid": "5aac2558-5594-4608-bc91-4bad02de0b81", "value": "f52ea8f238e57e49bfae304bd656ad98" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1521231193", "uuid": "0c6dc100-f189-4185-9795-0d947e5148f2", "Attribute": [ { "category": "External analysis", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1521231193", "to_ids": false, "type": "link", "uuid": "5aac2559-c9e4-46da-b7b5-48a602de0b81", "value": "https://www.virustotal.com/file/efb235776851502672dba5ef45d96cc65cb9ebba1b49949393a6a85b9c822f52/analysis/1521222896/" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1521231193", "to_ids": false, "type": "text", "uuid": "5aac2559-42dc-4076-947c-410c02de0b81", "value": "37/59" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1521231193", "to_ids": false, "type": "datetime", "uuid": "5aac2559-ccec-44f3-bf71-432302de0b81", "value": "2018-03-16T17:54:56" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1521231196", "uuid": "0f32f6dc-a546-44dd-adb1-81aa86fe31ac", "ObjectReference": [ { "comment": "", "object_uuid": "0f32f6dc-a546-44dd-adb1-81aa86fe31ac", "referenced_uuid": "ca30c358-c897-4462-84ff-b5feedfed6ad", "relationship_type": "analysed-with", "timestamp": "1521231198", "uuid": "5aac255e-b388-4bb3-86b4-4e1a02de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1521231194", "to_ids": true, "type": "sha1", "uuid": "5aac255a-fca8-4ef1-887c-421c02de0b81", "value": "4873bafe44cff06845faa0ce7c270c4ce3c9f7b9" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1521231194", "to_ids": true, "type": "sha256", "uuid": "5aac255a-909c-4d0f-8f99-4f3902de0b81", "value": "e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1521231194", "to_ids": true, "type": "md5", "uuid": "5aac255a-3678-4c5c-adf9-41bc02de0b81", "value": "94b288154e3d0225f86bb3c012fa8d63" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1521231195", "uuid": "ca30c358-c897-4462-84ff-b5feedfed6ad", "Attribute": [ { "category": "External analysis", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1521231195", "to_ids": false, "type": "link", "uuid": "5aac255b-5d1c-4d18-83dc-49f502de0b81", "value": "https://www.virustotal.com/file/e5511b22245e26a003923ba476d7c36029939b2d1936e17a9b35b396467179ae/analysis/1521222684/" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1521231195", "to_ids": false, "type": "text", "uuid": "5aac255b-e0b8-48b7-b404-470202de0b81", "value": "37/57" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1521231195", "to_ids": false, "type": "datetime", "uuid": "5aac255b-a4cc-4f24-bbcc-4bd302de0b81", "value": "2018-03-16T17:51:24" } ] }, { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "7", "timestamp": "1521231199", "uuid": "caa045ce-bcbe-4a02-bffb-ea43f82ef608", "ObjectReference": [ { "comment": "", "object_uuid": "caa045ce-bcbe-4a02-bffb-ea43f82ef608", "referenced_uuid": "5bfdbdfb-a83b-4cd9-84a9-dad020118364", "relationship_type": "analysed-with", "timestamp": "1521231198", "uuid": "5aac255e-f38c-4569-ad8d-479802de0b81" } ], "Attribute": [ { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1521231196", "to_ids": true, "type": "sha1", "uuid": "5aac255c-658c-4093-8837-40db02de0b81", "value": "cc7607015cd7a1a4452acd3d87adabdd7e005bd7" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1521231196", "to_ids": true, "type": "sha256", "uuid": "5aac255c-81d0-45ad-9276-45fd02de0b81", "value": "c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f" }, { "category": "Payload delivery", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1521231196", "to_ids": true, "type": "md5", "uuid": "5aac255c-9774-4f42-bcab-464302de0b81", "value": "085be1b8b8f3e90be00f6a3bcea2879f" } ] }, { "comment": "", "deleted": false, "description": "VirusTotal report", "meta-category": "misc", "name": "virustotal-report", "template_uuid": "d7dd0154-e04f-4c34-a2fb-79f3a3a52aa4", "template_version": "1", "timestamp": "1521231197", "uuid": "5bfdbdfb-a83b-4cd9-84a9-dad020118364", "Attribute": [ { "category": "External analysis", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "permalink", "timestamp": "1521231197", "to_ids": false, "type": "link", "uuid": "5aac255d-ac80-4a76-80f7-487102de0b81", "value": "https://www.virustotal.com/file/c4be15f9ccfecf7a463f3b1d4a17e7b4f95de939e057662c3f97b52f7fa3c52f/analysis/1521222974/" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": true, "object_relation": "detection-ratio", "timestamp": "1521231197", "to_ids": false, "type": "text", "uuid": "5aac255d-fb30-4025-b44f-4ca802de0b81", "value": "17/39" }, { "category": "Other", "comment": "Macro-ladened documents", "deleted": false, "disable_correlation": false, "object_relation": "last-submission", "timestamp": "1521231197", "to_ids": false, "type": "datetime", "uuid": "5aac255d-f454-4120-869f-482002de0b81", "value": "2018-03-16T17:56:14" } ] } ] } }