Russian hackers are trying out this new malware against US and European targets

A new phishing campaign from a Russian-state backed hacking group targets American and European inboxes.

This article by Danny Palmer originally appeared on ZDNet.

A Russian government-backed hacking group is distributing a new form of trojan malware as part of a cyber espionage campaign targeting the US and Europe, according to security researchers.

Named Cannon after references in the malicious code, the malware gathers system information and takes screenshots of infected PCs and has been operating since at least late October.

The campaign has been detailed by security analysts at security company Palo Alto Networks’ Unit 42 research unit, who say Cannon is just one form of malware still being actively distributed by Sofacy – their codename for Fancy Bear, a group also known as APT28, a hacking group which is with strong links to the Kremlin.

The group has been linked to a number of campaigns in recent years – including the cyber attacks and disinformation interference around the US Presidential election. It’s also thought to have conducted additional espionage campaigns against a number of nation-states and international organisations.

The new campaign begins with phishing emails which reference the recent Lion Air crash just off the coast of Indonesia. The Microsoft Word document is named Lion Air Boeing 737.docx and claims to have an author named ‘Joohn’. The reason this subject has been chosen for the lure is likely simply that people respond to emails which are related to current events.

If the user opens the attachment, they’re told that the document was created in an earlier version of Microsoft Word and that macros need to be enabled in order to view it. By choosing to enable the macros, the process of installing the malware begins – however, in order to help evade detection, the malicious code isn’t activated until after the Word session is closed.

This campaign has been spotted delivering two different forms of similar malware. One is Zebrocy, a trojan which has previously been observed being used as part of cyber espionage attempts working out of Russia.

The other is Cannon, with this campaign representing the first time the malware has been seen. It functions in a similar way to Zebrocy, by establishing communication with a command and control server which provides malware with instructions.

Cannon is designed to be persistent, set to take screenshots of the desktop every 10 seconds and gathering full system information every five minutes. In an effort to subtly pass stolen data on, Cannon uses email to forward attachments to one of three accounts hosted by a Czech Republic based service provider. From here, emails go to accounts controlled by the attackers.

The researchers are pinning the campaign on Sofacy because of how similar the Cannon malware is to Zebrocy – which is known to be the work of the hacking group. There’s also a number of other similarities, including reuse of author names in documents associated with the campaigns and the reuse of the same command and control servers.

The latest round of Fancy Bear attacks have targeted “a government organization dealing with foreign affairs in Europe” according to Palo Alto Networks, although researchers won’t go into the specifics of what governments have been targeted by the attacks, or if the campaigns have been successful for the attackers. It’s also unclear what specific information the attackers are targeting in this campaign.

“This is another example of how the Sofacy group is willing and able to develop new tools in support of their tactical and strategic aims,” said Bryan Lee, principal researcher for Unit 42 at Palo Alto Networks.

“While we can’t say how this specifically fit in to the overall Sofacy picture, based on the body of collective research we have as an industry, nearly all would agree that there is an overall picture: the Sofacy group doesn’t do things on a whim or for no reason.”

The discovery of new Fancy Bear activity comes shortly after researchers discovered a new phishing campaign targeting both government and private sector in the United States. That particular campaign is being carried out by Cozy Bear, another Russian state-sponsored hacking group.

Be careful what you open!!!

On 21st October, whilst I was at the Brightwells’ Cob Sales, at Builth, an email addressed to one of my clients popped up in my emails on my phone. From my phone I couldn’t tell why it arrived in my inbox, but when I returned to the office I discovered that the email address it was sent to was not quite correct, so had been forwarded to me as account administrator.

The email itself, initially appeared to be genuine and, as my client is a well respected business, I was surprised by the content. The email also had attached a Word document. I would imagine it was intended to make my client’s so enraged by the content that he would open the attachment without thinking.

At my office, in a controlled environment, I further investigated the email and the attachment. I discovered several things wrong with the content of the email itself, but the main problem was with the attachment, which contained an encrypted file. Had my client opened the attachment on a poorly protected computer, with possibly an earlier version of Word, his computer would almost certainly have been infected by an exploit contained in the word file.

I now have my client’s permission to show you the email (with his company name and address hidden) so that you can appreciate what I am talking about.

I cannot over emphasise that you should be careful opening attachments on any unexpected emails, particularly attachments that are Word documents or compressed files (.zip etc). You might also like to take a look at http://www.eqwebs.com/faq/internet-safety/

Here is the email

Ref No:VS08505

21st October 2016

To: Xxxxxx Xxxxx Xxxxxxxxx (Address: Xxx Xxxx Xxxx, Xxxxxxxx)

Our client: Ace Engineering & Fencing (UK) Ltd (Address: 55 Sovereign Arcade, Kettering, Northamptonshire, NN16 9JG)
Agreement Dated: 10/12/2015

Further to consultation with our above-named client in connection with the recovery of the amount of £7278
which has been outstanding for some significant period of time, despite our client’s repeated
requests for payment. In such circumstances, we have advised our client that they are entitled to present a Petition to the
High Court of Justice praying for the compulsory winding up of your company, pursuant to Section 122 (1)(f) of the Insolvency Act 1986,
in view of your obvious inability to make payment.

Our instructions are such that unless within 5 business days of the date of this letter we receive payment in our favour for the full amount due,
then such a Petition will be issued, served and advertised without further notice or warning.

Further info is attached to this letter.

Any correspondence from you must quote the name of our client, your own name and the reference number set out above in the letter and
in the document containing the payment details which letter refers you to. If any of these details are omitted, it may be that your
correspondence cannot be dealt with and the proceedings referred to above will automatically follow.

Yours truly,
David Church
Senior Accountant

Businessplus+ Accountants UK Ltd.

This message has been scanned for viruses and dangerous content by Email Shield.
Click here to report this message as spam.

MICROSOFT does NOT cold call about computer faults!

I’ve just had a very interesting phone call from a gentleman with an India accent, though the accent isn’t important as it could have been from anyone. He stated that he was calling from Microsoft and that they were concerned about a number of network faults showing up on my computer. At this point I told him that I was not interested in his SCAM and put the phone down. I would urge anyone who receives a similar call to do the same.

If I had continued the call he would have almost certainly “persuaded” me that it was imperative that I download something so that he could look at my computer to clear the problem. Once he had access to my computer we would have been able to seek out personal information on the computer, install spyware etc. and cause all types of problems. As well as this I have heard that this type of scam frequently involves paying a fee (by card) to fix the “problems”.

Please be aware that Microsoft does not cold call anyone about faults on computers. Don’t fall for this SCAM.

.cymru & .wales domain names now available

.cymru & .wales domain name registrations are now available for public registration using our automated system. However, if you wish to place an order for identical .cymru and .wales  please contact us by phone on 0845 6585 444 or 01443 879777 or by email by clicking HERE.

Pricing: .cymru and .wales are priced at £20.00 each for a one year registration with a special price where identical .cymru and .wales registrations are both taken @ £30.00 per year for the registration pair.

Microsoft Expression Web 4

Microsoft have recently announced significant changes to their development of Expression Studio and of particular interest to our clients is the following statement from the Microsoft website:-

Expression Web

The web is now about applications as well as traditional web sites, and this requires a new set of tools. Microsoft is committed to offering a unified approach to focus on web design and development features in Microsoft Visual Studio 2012.

As part of this consolidation, Microsoft Visual Studio 2012 provides the leading web development tool, which enables you to design, develop, and maintain websites and web applications. Visual Studio 2012 makes it easy to build CSS-based websites from the ground up with new CSS layouts, HTML5 support and full featured capabilities for working with and debugging JavaScript. Learn more about Visual Studio Express 2012 for Web and WebMatrix 2.

Expression Web is now available as a free download from the Microsoft Download Center, and no new versions will be developed. Customers who previously purchased Expression Web will receive support through the established support lifecycle.

To go directly to the Microsoft Download Page for Expression Web click HERE

WordPress (and Joomla) now added to our repertoire

In addition to our html websites, that we have been providing to our clients since 1999, and our EqwebsCMS websites (since 2011) we are now able to provide and support WordPress (and Joomla) websites.

Please contact us directly to hear about the features available and the pricing on our WordPress and Joomla websites.