Security research firm FireEye has discovered a new cyber espionage campaign known as “Operation Russian Doll” which is treated by the Russian Hacker group APT28. FireEye has published documents on the activity of APT28 group running various cyber espionage campaigns here.

APT28 group have targeted international governments leveraging two zero-day vulnerabilities, one in the Adobe Flash ( CVE-2015-3043 ) and brand new one in Windows ( CVE-2015-1701 )

Exploits are triggered when a victim opens a connection to an infected website that is controlled by ATP28. Russian Hackers group have also run a cyber espionage campaign on the U.S defense contractors, European security companies and Eastern European government entities.

Anatomy of Attack

• 1. Targeted user is manipulated to click on a unsuspicious website
• 2. HTML, PHP or JS launch hidden page that serves Flash Exploit ( CVE-2015-3043 )
• 3. Flash exploit process CVE-2015-3043 and executes shellcode
• 4. Shellcode automatically download and execute payload
• 5. Exploit take advantage of local privilege escalation and exploits ( CVE-2015-1701 ) to steal users data & tokens

The malware variants that are delivered with exploits we mention above are similar to APT28 backdoors family ( Chopstick and Coreshell ) the encryption used in this campaign is an RC4 key which was previously detected in network protocols used by these backdoor, to prevent source discovery of network beacon traffic used by new malware, one of the location for the new payload 87.236.215(.)246 also hosts suspected APT28 domain at ssl-icloud(.)com

The vulnerability has been patched on the Adobe Flash Software on Tuesday. So customers can update their Flash Applications to the latest version to prevent any future damage, and ensure their online presence is safe. As for the Windows Zero-day flaw currently there is no patch but Microsoft as usually working on a fix for the following vulnerability, which does not affect Windows 8 or 8.1. However, if hackers would want to deploy unpatched CVE-2015-1701 payloads on machines that already applied the Flash update, they would require to create new Flash Exploit for future cyber espionage campaigns.