APT29, the well known hacking group, seems to be back with slightly different tactical and technical procedures to conduct its last cyber operation. In the late evening of 15 / 11, some malicious documents likely to be referred to the group in question have been submitted to a major online malware analysis platform (Virus Total – @DrunkBinary credits for the first discovery). The analyzed decoy document retrieved by me is clearly referring to a DoS (Department of State) PDF form that is shown to the victims while, in backgroud, the process of infection is performed. A raw threat intelligence and malware analysis document has been created to follow the analysis steps.
This document is available over the following links with technical details about the first stage dropper as early as 16/11/2018 11:00 CET.
At the best of my knowledge, this has been the first public analysis document about this malicious campaign.