Russia-Linked APT Targets European Government Agency with Updated Adobe Flash Exploit Tool

The October 26, 2017 NJCCIC Weekly Bulletin contained a threat alert detailing the activity of Russia-linked APT group Sofacy, also known as APT28 or Fancy Bear, in which the group used an Adobe Flash Player exploitation framework, DealersChoice, to target users. On March 12 and 14, 2018, Unit 42 researchers at Palo Alto Networks observed Sofacy targeting a European Government Agency with an updated version of the DealersChoice framework. The threat actors sent spear-phishing emails to the target organization with a subject and attachment file name of “Defence & Security 2018 Conference Agenda.” When opened, the attached file displayed a copied agenda from the Underwater Defence & Security 2018 Conference. A malicious Flash object was embedded on the third page of the file that only loaded if the user scrolled through the document to that page, serving as an anti-sandboxing technique; the Flash object appears as a small black box in the document. While the new DealersChoice framework has only been identified targeting a European Government Agency, Sofacy has a history of exploiting Adobe Flash vulnerabilities to target US organizations. The NJCCIC recommends those that would be considered high-value targets for Russian APT groups review the Unit 42 analysis on recent Sofacy activity and Unit 42’s previous analysis on DealersChoice, and scan for the IoCs provided to determine whether malicious activity has been observed within their networks. Organizations are strongly encouraged to implement a defense-in-depth cybersecurity strategy, employ the Principle of Least Privilege, and establish strong identity and access management controls, including multi-factor authentication.