"Trump's attack on Syria" - a new attack by the Sednit group

Experts from ESET have observed a wave of e- mails containing a malicious attachment prepared by a group of cybercriminals called Sednit. Recently, the same group tried to get logins and passwords from those involved in the presidential campaign of Emmanuel Macron. This time, Sednit sent e-mails to the employees of the Ministry of Foreign Affairs of one of the European countries. In order to get the user to open an email and then click on the infected attachment, the group uses the fact of the April American rocket attack on Syria.

E-mail with an infected attachment

In the infected document called "Trump's_Attack_on_Syria_English.docx" sent out in emails, there is an article "Trump's Attack on Syria: Wrong for so Many Reasons", which appeared on April 12 in the "The California Courier".

Contents of the document.

In a malicious file, the Sednit group used two 0-day exploits, i.e. programs to exploit bugs in the software. The first vulnerability was in Microsoft Word and allowed arbitrary code execution. The second one was used to give the attacker administrative rights in the Windows system. The use of both vulnerabilities allowed the cybercriminals to gain full control over the infected computer. Analysts at ESET reported the vulnerabilities to Microsoft, which prepared the patches and made them available in yesterday's update as part of "Patch Tuesday".

In 2014, the Sednit group used the Polish element in their attack. As the experts informed then, for at least five previous years, the Sednit group attacked various institutions, in particular in Eastern Europe, using, among others, website of the Polish financial institution. She then used domains whose web addresses resembled existing websites related to the army, defense and foreign affairs.

Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.