Sednit Uses US President to Lure its Victims, Reports ESET

The Sednit group is back on the radar after alleged interference with the French electionsESET researchers have observed another one of their phishing emails in action – this time using a recently mediatized missile strike on Syria to lure victims into opening an attachment that drops its infamous reconnaissance tool, Seduploader. Read the whole analysis on ESET’s news website.

Inside the document titled Trump’s_Attack_on_Syria_English.docx, Sednit uses two 0-day exploits to drop the Seduploader component. The first one, CVE-2017-0261, for a Remote Code Execution vulnerability in Microsoft Word and the second one, CVE-2017-0263, for a Local Privilege Escalation in Windows. ESET reported both vulnerabilities to Microsoft, who addressed them today in their regular monthly security updates release.

“The Sednit group shows that it is far from done with its activities,” comments Alexis Dorais-Joncas, ESET Security Intelligence Team Lead, on recent findings. “While maintaining its old habits – such as the reuse of code and using known attack methods as described in our extensive whitepaper, we have noted several improvements in Seduploader over the past several months.“ 

The Sednit group, also known as APT28, Fancy Bear and Sofacy, is a group of attackers that has been operating since at least 2004 and whose main objective is to steal confidential information from specific, carefully selected targets. Last October, ESET published an extensive analysis of Sednit’s arsenal and tactics in the whitepaper En Route with Sednit.

Read the whole analysis on the latest Sednit group attack titled ‘Sednit adds two 0-day exploits using ‘Trump’s attack on Syria’ as a decoy’ on Welivesecurity.com.