Cannon Downloader Trojan

Cannon is a newly observed dropper trojan, believed to have been created by the ATP28 advanced persistent threat group.

As with most Fancy Bear affiliated malware, Cannon is distributed via spear-phishing campaigns with an attached Microsoft Word document. Once opened, the Word document will immediately attempt to retrieve a remote template containing a malicious macro. When the document is closed, the macro will install Cannon.

Cannon uses a complex system of email accounts to connect to a command and control server, to avoid detection. Once installed on a device, Cannon gathers system information and screenshots. If the infected system is of interest to the attacker, they will use Cannon to deliver other malware in a targeted attack.

The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587. 

Once the user attempts to open the malicious document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document.



Remote Template IP


Zebrocy C2 URL Shown as blacklisted

Affected Platforms:

  • Microsoft Windows – All versions

Indicators of Compromise

Delivery Hashes

2cfc4b3686511f959f14889d26d3d9a0d06e27ee2bb54c9afb1ada6b8205c55f
af77e845f1b0a3ae32cb5cfa53ff22cc9dae883f05200e18ad8e10d7a8106392

Remote Template Hashes

f1e2bceae81ccd54777f7862c616f22b581b47e0dda5cb02d0a722168ef194a5
fc69fb278e12fc7f9c49a020eff9f84c58b71e680a9e18f78d4e6540693f557d


Remote Templates

hxxp://188.241.58[.]170/live/owa/office.dotm


Zebrocy Hashes

6ad3eb8b5622145a70bec67b3d14868a1c13864864afd651fe70689c95b1399a


Zebrocy C2 URLs

hxxp://188.241.58[.]170/local/s3/filters.php

hxxps://200.122.181[.]25/catalog/products/books.php


Cannon Hashes

61a1f3b4fb4dbd2877c91e81db4b1af8395547eab199bf920e9dd11a1127221e


Cannon Email Accounts
sahro.bella7[at]post.cz
trala.cosh2[at]post.cz
bishtr.cam47[at]post.cz
lobrek.chizh[at]post.cz
cervot.woprov[at]post.cz

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: