← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Let It Ride: The Sofacy Group’s DealersChoice Attacks Continue
WHITE Sofacy AlienVault 2016-12-16 Modified: 2016-12-16
27
IOCs
MEDIUM VOLUME
Recently, Palo Alto Networks Unit 42 reported on a new exploitation platform that we called “DealersChoice” in use by the Sofacy group (AKA APT28, Fancy Bear, STRONTIUM, Pawn Storm, Sednit). As outlined in our original posting, the DealersChoice exploitation platform generates malicious RTF documents which in turn use embedded OLE Word documents. These embedded OLE Word documents then contain embedded Adobe Flash (.SWF) files that are designed to exploit Abode Flash vulnerabilities.
sofacyapt28STRONTIUMfancy bearDealersChoiceflashCarberpNATO
Indicators of Compromise (27)
All FileHash-SHA256 domain CVE email
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 1f81609d9bbdc7f1d2c8846dcfc4292b3e2642301d9c59130f58e21abb0001be 2016-12-16
FileHash-SHA256 137185866649888b7b5b6554d6d5789f7b510acd7aff3070ac55e2250eb88dab 2016-12-16
FileHash-SHA256 5dd3066a8ee3ab5b380eb7781c85e4253683cd7e3eee1c29013a7a62cd9bef8c 2016-12-16
FileHash-SHA256 4cbb0e3601242732d3ea7c89b4c0fd1074fae4a6d20e5f3afc3bc153b6968d6e 2016-12-16
FileHash-SHA256 1579c7a1e42f9e1857a4d1ac966a195a010e1f3d714d68c598a64d1c83aa36e4 2016-12-16
FileHash-SHA256 f5d3e827c3a312d018ef4fcbfc7cb5205c9e827391bfe6eab697cc96412d938e 2016-12-16
FileHash-SHA256 c5a389fa702a4223aa2c2318f38d5fe6eba68c645bc0c41c3d8b6f935eab3f64 2016-12-16
FileHash-SHA256 73ea2ccec2cbf22d524f55b101d324d89077e5718922c6734fef95787121ff22 2016-12-16
FileHash-SHA256 82213713cf442716eac3f8c95da8d631aab2072ba44b17dda86873e462e10421 2016-12-16
FileHash-SHA256 c993c1e10299162357196de33e4953ab9ab9e9359fa1aea00d92e97e7d8c5f2c 2016-12-16
FileHash-SHA256 3bb47f37e16d09a7b9ba718d93cfe4d5ebbaecd254486d5192057c77c4a25363 2016-12-16
domain appservicegroup.com 2016-12-16
domain postlkwarn.com 2016-12-16
domain adobeupgradeflash.com 2016-12-16
domain versiontask.com 2016-12-16
domain globaltechresearch.org 2016-12-16
domain securityprotectingcorp.com 2016-12-16
domain akamaisoftupdate.com 2016-12-16
domain apptaskserver.com 2016-12-16
domain joshel.com 2016-12-16
domain uniquecorpind.com 2016-12-16
domain researchcontinental.org 2016-12-16
CVE CVE-2016-7855 2016-12-16
email morata_al@mail.com 2016-12-16
email partanencomp@mail.com 2016-12-16
email olivier_servgr@mail.com 2016-12-16
CVE CVE-2016-7255 2016-12-16
References (1)
↗ http://researchcenter.paloaltonetworks.com/2016/12/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/