APT28 malicious NATO document

In our quest to track criminals and expose their misconduct, we regularly monitor the threat actor that goes by the name APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit. Granted some of these names are toolsets used by the criminals a name for a group. If tomorrow, they’d come to use different toolsets these names would have no real meaning. I’d prefer to use the term APT28 because it is easier than making up ours, and there are enough already. Sofacy/Sednit are the toolsets used by APT28 among others such as XAgent.

We recently came across a malicious document named “NATO Secretary meeting.doc” detected by several AV product as Exploit.RTF-DOC-SWF.Gen. Upon execution, the malicious document takes advantage of Adobe Flash Player described by Palo Alto Unit 42 as the DealersChoice campaign and tries to connect to hxxp://miropc[.]org, unfortunately, it couldn’t perform its entire infection routine as the domain is down.

Figure 1. A copy of NATO Secretary meeting.doc when executed.

screen-shot-2017-01-27-at-3-27-44-pm

Looking for more information on the domain miropc[.]org, we came across an interesting blog from Prevenity who tracks APT28, which describes the same malicious document. Fortunately, they were able to run it while the malicious domains were still up. They extracted three domains from the same document:

  • miropc[.]org
  • gtranm[.]com
  • zpfgr[.]com

 

tempapt282

Domain IP SOA Email
miropc[.]org 86.106.131[.]43 ulli_neu80.mail.com ulli_neu80@mail.com
gtranm[.]com 89.42.212[.]141 wee7_nim.centrum.cz wee7_nim@centrum.cz
zpfgr[.]com 94.177.12[.]74 info.bacloud.com olavi_nieminen@suomi24.fi
AS Number IP Range AS Name Country
47447 86.106.131[.]43 86.106.131.0/24 TTM  DE
49981 89.42.212[.]141 89.42.212.0/24 WORLDSTREAM +++ Transit Imports  NL
49981 94.177.12[.]74 94.177.12.0/24 WORLDSTREAM +++ Transit Imports  NL

We checked the pDNS for each domain and only the domain zpfgr[.]com came back with two extra IP addresses, 91.216.163.80 and 185.86.149.54.

AS IP ISP Country
61272 91.216.163.80 IST-AS LT
52173 185.86.149.54 MAKONIX LV

The IP address 91.216.163[.]80 is a shared IP and has hosted several malicious domains over time. On the IP address 185.86.149[.]54 we found the domain zpfgr[.]com registered with the email address olavi_nieminen@suomi24.fi and the domain lxwo[.]org, mail.lxwo.org registered with the email address ter_bafian@centrum.cz. On the second IP address 94.177.12[.]74, we found the domain rolstug[.]com registered with the email address nemolin1@gmx.com. The likelihood of these domains being APT28 related is very high, granted we haven’t found any samples out there using these domains yet. The domain lxwo[.]org was created in 2016-12-12 as well as the domain rolstug[.]com but the latter is apparently suspended now. We will definitely continue to monitor the domain lxwo[.]org and update the post if anything is ever found connecting to or from this domain. We have seen threat actors registering domains and keep them in their back pocket for months before actively using them in an active campaign.

One thought on “APT28 malicious NATO document

  1. Pingback: Finding Nemo(hosts) | NETWORKFIGHTS.COM

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s