The Sofacy APT group is back, with a new second-stage custom malware payload that researchers have dubbed “Cannon.” A campaign against several government entities around the globe, including in North America, Europe and a former Soviet state, came in waves during late October and early November, according to Palo Alto’s Unit 42.
The researchers attributed it to Russian-speaking Sofacy, a.k.a. Fancy Bear, Sednit or APT28, after intercepting a series of weaponized documents that load remote templates containing a malicious macro. Unit 42 was able to retrieve the payloads, which included the known Zebrocy trojan in the first stage, and a new malware, the Cannon dropper trojan, for the second stage.
Read more about the recent activity of the Fancy Bear APT on Threatpost.