Cannon Downloader Trojan

Cannon is a newly observed dropper trojan, believed to have been created by the ATP28 advanced persistent threat group.

As with most Fancy Bear affiliated malware, Cannon is distributed via spear-phishing campaigns with an attached Microsoft Word document. Once opened, the Word document will immediately attempt to retrieve a remote template containing a malicious macro. When the document is closed, the macro will install Cannon.

Cannon uses a complex system of email accounts to connect to a command and control server, to avoid detection. Once installed on a device, Cannon gathers system information and screenshots. If the infected system is of interest to the attacker, they will use Cannon to deliver other malware in a targeted attack.

The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587. 

Once the user attempts to open the malicious document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document.

Remote Template IP

Zebrocy C2 URL Shown as blacklisted

Affected Platforms:

  • Microsoft Windows – All versions

Indicators of Compromise

Delivery Hashes


Remote Template Hashes


Remote Templates


Zebrocy Hashes


Zebrocy C2 URLs



Cannon Hashes


Cannon Email Accounts

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: