DealersChoice

DealersChoice is a malicious software (malware) used by the Sofacy threat group, initially deployed as malware via an attachment to a spearphishing email. The malware was first utilized in late 2016, often targeting military or military-technology and manufacturing related entities, with a particular focus on NATO. DealersChoice operates as a hybrid client/server exploit kit, requiring multiple interactions with an active command-and-control (C2) server to successfully exploit an end system. It typically exploits Flash vulnerabilities in its attack campaigns, with the payload of choice for previous variants being SofacyCarberp (Seduploader), although no evidence suggests this tool was used in all attacks. The malware's delivery mechanism has evolved over time. Unlike previous samples, later versions of DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The Flash object embedded within the delivery document is a variant of an exploit tool known as DealersChoice. In one observed attack, the DealersChoice loader SWF existed after the "covert-shores-small.png" image file within the delivery document. Notably, on March 12 and March 14, the Sofacy group carried out an attack on a European government agency involving an updated variant of DealersChoice. This updated variant used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences compared to the original samples analyzed. These changes suggest that the Sofacy actors continually adapt and modify their tools to increase effectiveness and evade detection.