DealersChoice

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

DealersChoice is a malicious software (malware) used by the Sofacy threat group, initially deployed as malware via an attachment to a spearphishing email. The malware was first utilized in late 2016, often targeting military or military-technology and manufacturing related entities, with a particular focus on NATO. DealersChoice operates as a hybrid client/server exploit kit, requiring multiple interactions with an active command-and-control (C2) server to successfully exploit an end system. It typically exploits Flash vulnerabilities in its attack campaigns, with the payload of choice for previous variants being SofacyCarberp (Seduploader), although no evidence suggests this tool was used in all attacks. The malware's delivery mechanism has evolved over time. Unlike previous samples, later versions of DealersChoice used a DOCX delivery document that required the user to scroll through the document to trigger the malicious Flash object. The Flash object embedded within the delivery document is a variant of an exploit tool known as DealersChoice. In one observed attack, the DealersChoice loader SWF existed after the "covert-shores-small.png" image file within the delivery document. Notably, on March 12 and March 14, the Sofacy group carried out an attack on a European government agency involving an updated variant of DealersChoice. This updated variant used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences compared to the original samples analyzed. These changes suggest that the Sofacy actors continually adapt and modify their tools to increase effectiveness and evade detection.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Exploit

Payload

Spearphishing

Loader

Exploit Kit

Malware

exploitation

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Seduploader	Unspecified	1	Seduploader is a type of malware, a harmful program designed to exploit and damage computer systems. This malware can infiltrate systems through various channels such as suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sofacy	Unspecified	1	Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
APT28	Unspecified	1	APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sofacy Group	Unspecified	1	The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the DealersChoice Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Sofacy Uses DealersChoice to Target European Government Agency
MITRE	a year ago	IRON TWILIGHT Supports Active Measures
MITRE	a year ago	Sofacy Group’s Parallel Attacks
MITRE	a year ago	A Slice of 2017 Sofacy Activity
MITRE	a year ago	Sofacy Attacks Multiple Government Entities