Six weeks ago both Palo Alto Networks and CrowdStrike released reports regarding a highly advanced attack on US governmental and political targets. The group behind the attack, dubbed APT28, Sofacy or COZY BEAR, is known to be active at least since 2014 – compromising high value targets and linkedto an unknown Russian intelligence agency.

Most of the experts agree that this group is also behind the attack on the Democratic National Committee (DNC), this despite the claims of a hacker named Guccifer 2.0, calling this hack “”his personal project””. However, both the complexity of the attack and its resemblance to previous campaigns affiliated with APT28 makes security researchers highly doubt his claims.

Preventing APTs without Prior Knowledge

We analyzed two documents used in APT28‘s latest campaign against American targets:

  • Exercise_Noble_Partner_16.rtf (VT)
  • Putin_Is_Being_Pushed_to_Prepare_for_War.rtf (VT)

These files are in RTF format and contain an exploit (CVE20151641) which enables code execution once the document is opened. The manner in which persistency is achieved in this campaign is unique, and was described in another of Palo Alto’s publications. In each instance the victim opens a Microsoft Office program like Word, a malicious DLL loads and runs inside of the program itself.

This screenshot is an example of how a successful exploitation ends with a thread running the malicious svchost.dll (VT):

‍Malicious thread running in an infected Word process

Careful analysis of the sample detected another DLL named btecache.dll (VT) or amdcache.dll (VT), used to load svchost.dll to the host Office application. Our innovative solution prevents this type of behavior – malware trying to evade detection, whether it tries to detect security solutions or like in this case – by “”hiding”” inside a legitimate host process.

In our lab on a Minerva-protected machine we were able to prevent the malicious activity before any damage was done – disrupting the load of APT28‘s DLLs:

‍On Minerva protected endpoint – the loading of svchost.dll is prevented

As you can see, there are no more shady DLLs as svchost.dll and many more threads in charge of contacting the C2 servers are also absent. This test was performed for both of the .rtf files and showed the same results.

Interested in a demo? Click here