Sofacy Uses DealersChoice to Target European Government Agency

Sofacy Uses DealersChoice to Target European Government Agency (Mar 15, 2018)

On the 12th and 14th of March, Palo Alto researchers observed the Sofacy group (APT28) carrying out an attack on a European government agency using an updated version of the group's Adobe Flash exploitation framework called "DealersChoice." The updated DealersChoice will only run the Flash object when the target scrolls to the bottom of the three-page lure-document. Successful exploitation will lead to a secondary payload being downloaded.

Recommendation: All employees should be educated on the risks of spear phishing, and how to identify such attempts. This exploitation also requires the target to have a vulnerable version of Adobe Flash installed. Make sure that all users are updated to the latest version of Adobe Flash to avoid potential exploitation.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.