Phresh phishing against government, defence and energy

09 October 2014


 View Christopher Doman’s profile on LinkedIn

Earlier this year I came to work and checked our monitoring systems that had run overnight. One of them had identified that two new domains had been pointed at a server PwC’s Threat Intelligence team had previously associated with malware known as “Sofacy”.

The group using Sofacy malware has a broad target base, and so any new activity is usually worth following. Investigating this activity led us to some additional recent activity in an ongoing operation targeting employees of a wide range of public and private sector organisations.


Sofacy has been discussed before as being used to target APEC members and there has also been some prior analysis of the malware itself.

Variants of Sofacy have been in use for a considerable amount of time - the screenshot below is from the decoy document loaded by one of the earliest versions present on ThreatExpert (February 2010).

                        Islamic Iran

Decoy documents are typically used to make targets believe malware pretending to be a document is legitimate, and often gives some idea as to the possible nature of intended targets.

More recently, ESET have reported on spear phishes with NATO/Ukrainian conflict themes and watering hole attacks likely targeting the defence industry and a Polish finance.

Malicious Domain Names

I passed the domains onto my colleague Tom Lancaster (@tlansec) who has a great ability to take a piece of information and quickly expand it using open source information. Tom pivoted on the domains to find a far larger set of domains closely related via whois data and infrastructure.

The domain names were near identical to those of:

  • International and European diplomatic institutions
  • Popular providers of web mail, photo sharing, search and secure mail services
  • Military institutions, contractors and conferences
  • Energy companies
  • News organisations based out of the United States and Central Europe

Looking into the content of some of the domains revealed they were not just used for the typical command and control of malware I expected.

Phishing for credentials

The usage of malware in targeted attacks to steal information of value to attackers has been well reported on. Less well reported is the simple technique of phishing for credentials, which whilst still relatively common in targeted attacks, is more typically reported in use by criminal attackers involved in day to day cyber-fraud.

Whilst many of the domain names were not hosting web pages at the time of identification, a number were. Typically they would use obfuscated code to redirect the user to another webpage:

  Script KM

In some pages this malicious redirect was not called due to a Javascript redirect to a legitimate site that was called preferentially.

Fake login pages were observed for webmail and two factor-authentication platforms. As well as the fake pages themselves being visually identical to the legitimate pages, the domains were near identical making it difficult for users to identify they were being duped.

For example the screenshot below shows the contents of a credential phishing website designed to mimic the legitimate OWA site of a defence contractor.


Outlook web appTargetting and Domain Names

A significant number of Sofacy domains impersonate legitimate organisations, for example:

  • natoexhibitionff14[.]com
  • vice-news[.]com
  • world-oil-company[.]com
  • farnboroughair2014[.]com
  • n0vinite[.]com
  • nato[.]nshq[.]in
  • hushmali[.]com
  • login-osce[.]org
  • evronaval[.]com
  • counterterorexpo[.]com
  • changepassword-hotmail[.]com
  • changepassword-yahoo[.]com
  • account-flickr[.]com

Two of the domains identified have previously been associated with credential phishing:

  • In October 2013  the domain chmail[.]in was reported as being used in widespread attacks against users of the Iranian mail service chmail[.]ir
  • In January 2014 the domain google-settings[.]com was reported as being used in credential theft against some gmail users.


The nature of malwareless attacks using legitimate webpage source code makes writing simple signatures difficult. The following Javascript will be present on many malicious obfuscated redirects, not necessarily related to this activity:



And this comment occurs in many of the pages, though also appears in some legitimate sites:

// stop for sometime if needed


As ever with phishing attacks, one of the most important preventative steps is the education of users of how to identify suspicious emails. It is also important to alert on “impossible journeys”, for example a single user logging in from two separate countries in a short period of time. We will be publishing a post on how to do so shortly.

Further information

For more in-depth coverage on this group and indicators which can be used to detect their activity, please give us a shout at [email protected].