Russian APT Group Fancy Bear (APT28) Targeting Potential Cybersecurity Conference Attendees

Cisco Talos observed a new spear-phishing campaign targeting potential attendees of the 2017 International Conference on Cyber Conflict (CyCon US), scheduled to take place on November 7 and 8 in Washington, DC. These emails contain a malicious two-page document named Conference_on_Cyber_Conflict.doc designed to resemble promotional material for CyCon US. This document contains a Visual Basic for Applications (VBA) macro designed to execute a new variant of Seduploader, a trojan used by nation-state actors to conduct reconnaissance on their targets. Seduploader is capable of capturing screenshots, exfiltrating data, and executing arbitrary code. Due to the indicators of compromise (IoCs) and the use of Seduploader, Cisco Talos attributes this campaign to Fancy Bear, also known as Group 74, APT28, Tsar Team, and Sofacy. The NJCCIC recommends potential attendees of the 2017 International Conference on Cyber Conflict read the CyCon US alert and review the Cisco Talos report on this spear-phishing campaign. The NJCCIC strongly recommends that all email users maintain awareness of emerging phishing campaigns and avoid clicking on links or opening attachments delivered with unexpected or unsolicited emails. If any end users have taken action on emails from this campaign, isolate the affected system from the network immediately and perform a full system scan using a reputable anti-malware solution. Proactively monitor and change passwords to any financial, personal, or business accounts accessed on infected systems and enable multi-factor authentication where available.