- A new Russian hacking tool is targeting government systems in the United States and Europe through spear-phishing attacks, using stealthy, sophisticated mechanisms to go undetected.
Discovered by Palo Alto Networks, the “Cannon” trojan relies on Word documents to load remote templates embedded with malicious code. While not new or uncommon, the tool makes it difficult for automated systems to identify the infection due to its modular nature.
To accomplish this, the trojan uses the AutoClose function that lets Word delay the full execution of the malicious code until the user closes the document. The virus acts as a downloader, using the system’s email to get instructions from the command and control server.
The virus is delivered in a normal fashion, through an email containing as Word document. The document itself contains no malicious links, which is why it’s difficult for security tools to detect. But once the email is opened, the Word document downloads a remote template that will download the malicious code.
The Word document installs two malicious programs. Cannon allows hackers to sneak onto a computer and take screenshots of the infected computer’s homepage. It gains information from the system, saves it to a file and then emails the images back to the hackers to receive further instruction.
“The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the researchers wrote.
Palo Alto researchers believe the Russian Hacking group Fancy Bear or GRU is behind the trojan. This group was behind several major breaches, including the Democratic National Committee and medical data from both the International Association of Athletics Federation and World Anti-Doping Agency, among others.
The report from Palo Alto comes just several weeks after several security leaders told Reuters they’d seen Russian hackers impersonating State Department employees. The group was targeting U.S. think tanks, government agencies and other businesses with phishing campaigns.
The threat of nation state actors on the healthcare system is not new. In fact, a recent hearing into the phishing attack of the Minnesota Department of Health and Human Services revealed that the government agency had received an onslaught of phishing attacks throughout the summer.
Due to a lack of resources and staffing, Minnesota DHS was unable to keep up with the threat and detect the infection for several months. As the healthcare sector suffers from similar constraints, this new type of evasive threat could pose a serious issue.