Sofacy AKA Sednit/APT28/Fancy Bear Malicious Payloads

February 21, 2015  |  Garrett Gross

You’ve probably educated your users to not click on risky email attachments but what about Word files, spreadsheets or even PDFs? We send those all the time to our coworkers so how do we know what is legit and what isn’t? (Remember – one of the most visible breaches of our time (RSA 2011) started with a tainted Excel spreadsheet.)

We are seeing some especially tricky attacks these days related to the Sofacy (aka Sednit/APT28/Fancy Bear) threat group. One of their common tactics is to hide malicious payloads in Word documents, exploiting known vulnerabilities. Some other delivery mechanisms we have seen related to this group have been traditional spearphishing, website compromises, even redirects to a fake site designed to impersonate the user’s Outlook web mail portal.

This can impact you by causing:

  • Infected machines can spread the virus to critical systems and/or those that house sensitive data
  • Backdoor and/or Command & Control mechanisms can put you at even greater risk to future and further compromise
  • Possible destruction/exfiltration of data

AlienVault Unified Security Manager (USM) has vulnerability scanning built-in that can be scheduled to ensure continual awareness of things happening within your network.

Our AlienVault Labs team has already created several correlation rules and IDS signatures to spot activity related to this threat.

You can get more details on the latest USM threat intelligence updates here.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial