Contact Contact Us

WEEKLY COMMENTS

How did your businesses fare security-wise over Black Friday and Cyber Monday?

Financially motivated threat actors are not the only cybercriminals active during the festive season; politically motivated APT groups, too, are on the move.

This week, we received reports that the Sofacy APT group has been delivering the new Cannon malware in a spear phishing campaign targeted at government organisations in North America and Europe. The spear phishing campaign uses Microsoft Word documents that load remote templates embedded with malicious macros. The macros use the AutoClose function that allows Microsoft Word to delay the complete execution of the malware until the victim closes the document. Once downloaded, Cannon can add persistence, create a unique system identifier, collect system details, capture desktop screenshots, and access POP3 email accounts.

Additionally, the Gamaredon group, which has been linked to Russia’s Federal Security Service (FSB), has been using a new variant of the Pterodo information-stealing backdoor against Ukrainian government agencies. Pterodo is activated only on Windows systems with language localisation for Ukrainian, Belarusian, Russian, and other languages associated with former Soviet states. The latest variant generates a unique URL for C&C based on the serial number of the infected system’s hard drive.

We advise organisations to stay vigilant during the festive season and ensure patches are installed as soon as they are available. Employees should be frequently reminded to look out for signs of commonplace attack vectors such as phishing emails and DDoS attacks, and organisations should train them in the necessary response and mitigation measures to take when an attack occurs.

References:
[1] New Cannon Trojan Is the Latest Asset of Sofacy APT Group
[2] Ukraine detects new Pterodo backdoor malware, warns of Russian cyberattack

Ensign InfoSecurity Singapore
6 Commonwealth Lane
Singapore 149547

Tel: +65 6788 2882
Fax: +65 6788 3883