DealersChoice

Malware Profile Updated 25 days ago
Download STIX
Preview STIX
DealersChoice is a malicious software (malware) used by the Sofacy threat group, initially deployed as malware via an attachment to a spearphishing email. The malware was first utilized in late 2016, often targeting military or military-technology and manufacturing related entities, with a particular focus on NATO. DealersChoice operates as a hybrid client/server exploit kit, requiring multiple interactions with an active command-and-control (C2) server to successfully exploit an end system. It typically exploits Flash vulnerabilities in its attack campaigns, with the payload of choice for previous variants being SofacyCarberp (Seduploader), although no evidence suggests this tool was used in all attacks. The malware's delivery mechanism has evolved over time. Unlike previous samples, later versions of DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The Flash object embedded within the delivery document is a variant of an exploit tool known as DealersChoice. In one observed attack, the DealersChoice loader SWF existed after the "covert-shores-small.png" image file within the delivery document. Notably, on March 12 and March 14, the Sofacy group carried out an attack on a European government agency involving an updated variant of DealersChoice. This updated variant used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences compared to the original samples analyzed. These changes suggest that the Sofacy actors continually adapt and modify their tools to increase effectiveness and evade detection.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the DealersChoice Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Sofacy Uses DealersChoice to Target European Government Agency
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
A Slice of 2017 Sofacy Activity
MITRE
a year ago
Sofacy Group’s Parallel Attacks
MITRE
a year ago
Sofacy Attacks Multiple Government Entities