SNAKEMACKEREL delivers SedUploader malware
February 13, 2019
iDefense analysts recently identified a macro-enabled Microsoft Corp. Word document that references themes taken from the Underwater Defence & Security 2019 event, which is scheduled to occur March 5-7, 2019, in Southampton, United Kingdom at the Ageas Hilton hotel. The document is used to drop a DLL file that is believed to be a version of SedUploader, a first-stage reconnaissance tool thought to be developed and used by SNAKEMACKEREL actors.
According to the event website, this is a three-day global event focused on how NATO members and affiliated nation states can respond to sea-based threats, including what role manned, unmanned and autonomous systems can be used effectively to conduct dangerous mission operations. The official conference agenda for 2019 appears to emphasize the need for NATO members and affiliate nation states to improve naval capabilities (e.g., fleets and submarines) to address increasing global instability.
The actors appear to have stolen content for the lure document directly from a registration web page that hosts the official conference agenda. Based on iDefense’s analysis, the lure document was used to drop a DLL file at two locations on the targeted system; the file is believed to be a version of SedUploader, a first-stage reconnaissance tool developed and used by the Russian cyber-espionage threat group SNAKEMACKEREL. The malware uses XOR encryption to obfuscate hardcoded artifacts, including a specific mutex.
The macro in the Word document drops two identical DLL files to two separate locations on the victim system. It executes one immediately and sets the other as the registry run key for persistence at reboot. iDefense has moderate confidence that one of the intended targets of this campaign was an unknown entity based in Macedonia. This observation is notable, as Macedonia is currently pending admission to NATO as that organization’s thirtieth member; this admission is expected to become official sometime in 2020. This activity aligns with prior SNAKEMACKEREL threat activity, with the group allegedly having targeted government officials in Montenegro back in 2017 prior to that country’s accession to NATO.1
iDefense analysts note that this event draws attendees from government, military and private sector entities (defense and aerospace, high tech, etc.) across the globe, including those located in the United States, Western and Eastern Europe, the Middle East and the Asia-Pacific region.
This alert is intended to provide early indication and warning (I&W) notice to public and private sector organizations that are either sponsoring or attending this global event, as it represents a unique opportunity for SNAKEMACKEREL actors to conduct targeted attacks against entities aligned with its collection requirements. iDefense analysts will continue to monitor for new activity related to this global event and will provide additional updates as necessary.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks