A threat intelligence team at Palo Alto Networks has found that a cyber espionage group has launched a new spear phishing attack against the U.S. government.
The company said Tuesday its Unit 42 discovered that the Sofacy threat group, also called APT28, used a compromised email account linked to a foreign affairs ministry of another country to send a spear phishing email against a U.S. government agency on May 28.
According to Unit 42, the email contained the Sofacy Trojan malicious program’s Carberp variant and used a persistence mechanism that had not been identified in previous attacks.
The persistence method works to help cyber threat actors evade detection by requiring users to load and execute malicious payloads into any Microsoft Office applications through the use of an RTF file as a delivery document, according to Palo Alto Networks.
The RTF file was sent as an attachment to the spear-phishing email and established a registry key as a method to run the Trojan for persistence purposes, Unit 42 said.
The threat intell team said the email was titled “FW: Exercise Noble Partner 2016,” which refers to a joint NATO training exercise between the U.S. and Georgia.