As the US justice department forges ahead with its investigation into the Trump administration and any possible collusion with Russia, the Fancy Bear hackers continue refining their attacks against global targets. As part of their new phishing campaign, the hackers are capitalising on the recent New York terror attack, to trick users into clicking on malicious documents, which in turn infects systems with their malware.
The Kremlin-linked hackers first made headlines during the 2016 US presidential campaign and are now widely considered to have orchestrated the cyberattacks against the US Democratic Party. The cyberespionage group has since been actively involved in various campaigns over the past year, targeting organisations and individuals across the globe.
The Fancy Bears' most recent campaign, uncovered by security researchers at McAfee, involves the use of a black malicious document, titled "IsisAttackInNewYork", which when clicked drops the hackers' first-stage reconnaissance malware dropper Seduploader. The implant collects basic data from infected PCs and profiles prospective victims. Once hackers determine some interest in the victim, the implant then drops Fancy Bears' customised malware X-Agent or Sedreco.
In previous campaigns, the Russian hackers were found using zero-day flaws while perpetuating attacks. However, in this particular campaign, the hackers were leveraging a new hacking technique that exploits Microsoft Office's DDE (Dynamic Data Exchange) feature. This technique has also exploited by a Chinese hacker group called KeyBoy. Alarmingly, Microsoft has no intention of patching the DDE function as it considers it a feature and not a bug, Cyberscoop reported. This means that hacker groups like Fancy Bear and KeyBoy could keep leveraging the function to deliver malware to unsuspecting users.
The use of the DDE technique could also allow the hackers to evade security detection. McAfee experts say that the hackers' ability to exploit recent events and hacking techniques reveal the groups' efforts to actively seek out new ways to ensure success.
"You've got an active group tracking the security industry and incorporating its findings into new campaigns; the time between the issue being reported and seeing this in the wild is pretty short. It shows a group that's keeping up to date with both current affairs and security research," McAfee chief scientist Raj Samani told Wired.