Hackers are targeting both U.S. and European email accounts with a new phishing malware, according to a study done by cybersecurity researchers at Palo Alto Networks’ Unit 42. Named “Cannon,” the malware has been around since October, collecting screenshots and other information from the PCs of unsuspecting victims and sending it back to Russian operatives.
Leveraging a classic social engineering tactic, “Cannon” sends out phishing emails and involves tricking victims into opening messages about recent news events like the crash of an airliner in Indonesia. The emails also contain an attachment to an older formatted Microsoft Word document which requires the macro feature for the file to open successfully. Once the victim opens the file and enables macros, a code then executes and a trojan malware spreads and infects a computer whenever Word is closed.
Once the trojan malware is running, it will collect screenshots of the PC desktop in intervals of 10 seconds, and system information every 300 seconds. It then logs into a primary POP3 email account, a secondary POP3 email account, and attempts to get the download path for downloaded information. Finally, it moves all attachments to a specific path and creates a process that sends the email back to a hacker with all attachments.
“In late October and early November 2018, Unit 42 intercepted a series of weaponized documents that use a technique to load remote templates containing a malicious macro. These types of weaponized documents are not uncommon but are more difficult to identify as malicious by automated analysis systems due to their modular nature. Specific to this technique, if the C2 server is not available at the time of execution, the malicious code cannot be retrieved, rendering the delivery document largely benign,” explains the Unit 42 research unit.
“Cannon” appears to be linked to Sofacy, a hacking group which has previously distributed “Zebrocy” and other similar malware linked back to the Russian government. To protect against these types of phishing attacks, it is always best to avoid opening emails from suspicious email addresses. Even though Microsoft has taken steps to block malicious macros, it also is best to not to use the feature and avoid it entirely. You also should keep your antivirus up to date and make sure that you’re running the latest versions of Windows 10.