Less than six hours after Donald Trump won the US presidential election, a new spear phishing campaign was launched by a Russia-based group. The group is apparently one of the two organizations connected to the breach at the Democratic National Committee, and it’s responsible for nearly a decade of intelligence collection campaigns against military and diplomatic targets.
Security firm Volexity refers to the group as “the Dukes” based on the malware family being utilized. According to a report by Volexity founder Steven Adair, the group is known for a malware family known as “the Dukes”—also referred to as APT29 or “Cozy Bear.” The Dukes’ primary targets in this latest round of attacks appear to be non-governmental organizations (NGOs) and policy think tanks in the US.
According to Volexity’s data, the threat group sent e-mails from purpose-built Gmail accounts and what may be a compromised e-mail account from Harvard University’s Faculty of Arts and Science. The phishing e-mails dropped a new variant of backdoor malware dubbed “PowerDuke” by Volexity, and this malware gave attackers remote access to compromised systems. Volexity has been tracking a number of campaigns based on PowerDuke since August, when some “highly targeted” malicious e-mails were sent to individuals at a number of policy research organizations in the US and Europe. The e-mails were disguised as messages from the Center for a New American Security (CNAS), Transparency International, the Council on Foreign Relations, the International Institute for Strategic Studies (IISS), and Eurasia Group. Another wave of similar e-mails targeted universities in October.
The latest round of e-mails, sent out on November 8 and 9, “were sent in large quantities to different individuals across many organizations and individuals focusing in national security, defense, international affairs, public policy, and European and Asian studies,” Adair wrote. “Two of the attacks purported to be messages forwarded on from the Clinton Foundation giving insight and perhaps a postmortem analysis into the elections. Two of the other attacks purported to be eFax links or documents pertaining to the election’s outcome being revised or rigged. The last attack claimed to be a link to a PDF download on ‘Why American Elections Are Flawed.‘”
PowerDuke uses steganography to conceal its backdoor’s code in a .PNG graphic file. The August attacks used legitimate content from the spoofed senders in Word and Excel documents to fool targets into opening attachments outside of a safe preview mode—scripts then downloaded the .PNG from a compromised Web server. The malware was next extracted from the .PNG and executed by Windows’ rundll32.exe, residing only in memory and leaving no trace in the operating system. Once installed, the backdoor contacts a command and control network and allows the attackers to carry out a large range of commands—including the uploading and downloading of files, remote wiping of files, and accessing details about the infected machine, its user, and the network it runs on.
This week’s attacks used a combination of approaches to deliver PowerDuke. The e-mails had either malicious links to .ZIP files or forged Windows shortcut files linked to a “clean” Rich Text Format document and a PowerShell script that installed the malware. Two were “eFax” messages; the other three apparently came from the e-mail account of a senior research fellow at Harvard’s Center for International Development. Two of those messages were spoofed forwards of messages from the Clinton Foundation using the same Harvard account. In all cases, the malware scripts included a variety of advanced anti-malware detection and virtual machine detection scripts to evade analysis.
“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure,” Adair noted. “This combined with their use of stenography to hide their backdoor within PNG files that are downloaded remotely and loaded in memory only or via alternate data streams (ADS) is quite novel in its approach. Volexity believes that the Dukes are likely working to gain long-term access into think tanks and NGOs and will continue to launch new attacks for the foreseeable future.”