Reports are now appearing about the latest exploits of the infamous Russian hacking organization Fancy Bear, the group implicated by private American cyber investigators following the 2016 presidential election as being one of the groups behind the DNC hack.
According to media sources, the group has recently begun a hacking campaign capitalizing on news of the recent truck ramming attack in New York City. The attack essentially follows a classic phishing model, and consists of an email containing a command to download malware on a word document titled "IsisAttackInNewYork.docx." If the recipient follows the command, a malware code known as Seduploader then infects their computer. Seduploader is a reconnaissance malware that seeks to identify and exfiltrate sensitive files on a victim’s machine.
This is not the first time fancy Bear has attempted this method. In late October, Fancy Bear used a similar tactic. Hackers targeted individuals interested in military cybersecurity by using a document that appeared to contain information about the CyCon cybersecurity conference, a well-known event in the world of IT sponsored by West Point.
In the October attacks, the fake CyCon documents used a feature in Microsoft Word known as a VBA script, an active scripting language used to manage computing operations, as the medium to download the malware. The New York attack document takes advantage of a different feature, known as Microsoft Office Dynamic Data Exchange, an interprocess communication tool that allows one program to subscribe to items made available by another program.
Why the change in tactics?
Well, the downside of a good cyberattack is that the damage tends to draw attention. According to researchers at McAfee, the change in tactic may have been due to the widespread attention garnered by the CyCon attack. This attention may have caused users to adapt and prepare for this type of malware delivery in the future, or at least the hackers may have thought so.
The attack is just another indication of the malicious creativity within the community of criminal hackers.
As McAfee researcher Raj Samani put it: "You’ve got an active group tracking the security industry and incorporating its findings into new campaigns; the time between the issue being reported and seeing this in the wild is pretty short, it shows a group that’s keeping up to date with both current affairs and security research."