Palo Alto Network’s Unit 42 Research Unit reported their discovery of weaponized documents containing remote templates embedded with a malicious macro. This trojan malware called Cannon, comes from the hacking group APT28, which has close ties to the Kremlin, according to ZDNet.
Cannon Malware in Action
What distinguishes Cannon from other malware deployments is its novel email-based C2 communication channel. One reason why the hackers might use this deployment strategy is to evade detection since email providers don’t view this activity as suspicious.
To entice people to comply, the malware uses current events. Right now, the phishing scam involves receiving an email pertaining to the Lion air crash. The email contains a Microsoft Word file named Lion Air Boeing 737.docx with the author ‘Joohn.’
Let’s go down the rabbit hole a bit further. If you decide to click on the Microsoft Word attachment, a message appears on your screen stating the document you are trying to view is under an old version of Microsoft Word so it will ask you to allow macros to view the material.
If you enable macros, it’s the code conduit by which the malware infects your device. Compounding matters more are the fact the malware won’t appear on your device until after you closed Microsoft Word.
ZDNet notes the Cannon malware uses a command and control server to issue instructions to the malware. One of the malware’s trademarks includes taking screenshots of the infected device every 10 seconds. It also logs all system information every five minutes. The malware emails the screenshots and system information to one of three accounts operated by a Czech Republic server, according to ZDNet.
The malware targets users across Europe and the United States, placing close attention to government agencies. As you can imagine, with the malware’s ability to read full system information and log activity every 10 seconds, if hackers are able to break in they’ll have a treasure trove of data at their fingertips.
Tips to Avoid Malware Infection
While effective, you can avoid downloading the Cannon malware. The simplest way to evade their grasp is to refrain from opening email attachments. While enticing because the material is still fresh, it’s important to stop and think about why someone sends you an attachment when there’s ample material online you can read through news websites.
Two, many phishing email scams have telltale signs. Often, this involves making spelling and grammar mistakes in its messaging. You can also use this as an opportunity to research the email before clicking on the link. As part of this, study the sender’s address.
If it’s someone you don’t know, then it’s best to refrain from clicking the attachment. And to be safe, if someone you know emails you an attachment, contact them beforehand to verify they did so.
Once installed, any form of malware can render your files inaccessible. If this happens, you need a team of recovery experts to help you regain your data. Our staff at SALVAGEDATA is adept at recovering files from malware-infected devices in a timely fashion. Contact our staff today to receive your free quote.