Cannon is a newly observed dropper trojan, believed to have been created by the ATP28 advanced persistent threat group.
As with most Fancy Bear affiliated malware, Cannon is distributed via spear-phishing campaigns with an attached Microsoft Word document. Once opened, the Word document will immediately attempt to retrieve a remote template containing a malicious macro. When the document is closed, the macro will install Cannon.
Cannon uses a complex system of email accounts to connect to a command and control server, to avoid detection. Once installed on a device, Cannon gathers system information and screenshots. If the infected system is of interest to the attacker, they will use Cannon to deliver other malware in a targeted attack.
The Cannon Trojan is written in C# and functions primarily as a downloader that relies on emails to communicate between the Trojan and the C2 server. To communicate with the C2 server, the Trojan will send emails to specific email addresses via SMTPS over TCP port 587.
Once the user attempts to open the malicious document, Microsoft Word immediately attempts to load the remote template containing a malicious macro and payload from the location specified within the settings.xml.rels file of the DOCX document.
- Microsoft Windows – All versions
Indicators of Compromise
Remote Template Hashes
Zebrocy C2 URLs
Cannon Email Accounts