Russian APT Group Fancy Bear (APT28) Citing NYC Terror Attack in Phishing Campaign

McAfee researchers identified a new phishing campaign citing the recent terror attack in New York City to deliver Seduploader, a trojan used by nation-state actors to conduct reconnaissance, to unsuspecting victims. These emails contain a malicious Word document namedIsisAttackInNewYork.docx that leverages the Microsoft Dynamic Data Exchange (DDE) protocol and PowerShell to deliver the trojan. Seduploader is capable of capturing screenshots, exfiltrating data, and executing arbitrary code. Despite the change in attack vector, the indicators of compromise (IoCs) and the analysis of the payload led McAfee analysts to attribute this campaign to Fancy Bear, also known as Group 74, APT28, Tsar Team, and Sofacy. The NJCCIC recommends network administrators review the McAfee report and scan their networks for associated IoCs. We also strongly recommend that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.