In our quest to track criminals and expose their misconduct, we regularly monitor the threat actor that goes by the name APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit. Granted some of these names are toolsets used by the criminals a name for a group. If tomorrow, they’d come to use different toolsets these names would have no real meaning. I’d prefer to use the term APT28 because it is easier than making up ours, and there are enough already. Sofacy/Sednit are the toolsets used by APT28 among others such as XAgent.
We recently came across a malicious document named “NATO Secretary meeting.doc” detected by several AV product as Exploit.RTF-DOC-SWF.Gen. Upon execution, the malicious document takes advantage of Adobe Flash Player described by Palo Alto Unit 42 as the DealersChoice campaign and tries to connect to hxxp://miropc[.]org, unfortunately, it couldn’t perform its entire infection routine as the domain is down.
Figure 1. A copy of NATO Secretary meeting.doc when executed.
Looking for more information on the domain miropc[.]org, we came across an interesting blog from Prevenity who tracks APT28, which describes the same malicious document. Fortunately, they were able to run it while the malicious domains were still up. They extracted three domains from the same document:
|AS Number||IP||Range||AS Name||Country|
|49981||89.42.212[.]141||18.104.22.168/24||WORLDSTREAM +++ Transit Imports||NL|
|49981||94.177.12[.]74||22.214.171.124/24||WORLDSTREAM +++ Transit Imports||NL|
We checked the pDNS for each domain and only the domain zpfgr[.]com came back with two extra IP addresses, 126.96.36.199 and 188.8.131.52.
The IP address 91.216.163[.]80 is a shared IP and has hosted several malicious domains over time. On the IP address 185.86.149[.]54 we found the domain zpfgr[.]com registered with the email address firstname.lastname@example.org and the domain lxwo[.]org, mail.lxwo.org registered with the email address email@example.com. On the second IP address 94.177.12[.]74, we found the domain rolstug[.]com registered with the email address firstname.lastname@example.org. The likelihood of these domains being APT28 related is very high, granted we haven’t found any samples out there using these domains yet. The domain lxwo[.]org was created in 2016-12-12 as well as the domain rolstug[.]com but the latter is apparently suspended now. We will definitely continue to monitor the domain lxwo[.]org and update the post if anything is ever found connecting to or from this domain. We have seen threat actors registering domains and keep them in their back pocket for months before actively using them in an active campaign.