The Polish government warns that a cyberespionage group linked to Russia's intelligence services targets diplomatic and foreign ministries from NATO and EU member states in an ongoing campaign that uses previously undocumented malware payloads. The group, known in the security industry as APT29, Cozy Bear, and NOBELIUM, is believed to be part of Russia's Foreign Intelligence Service (SVR) and is the group behind the 2020 supply chain attack against software company SolarWinds that led to the compromise of thousands of organizations worldwide.[1]
See: https://redskyalliance.org/redshorts2020/4-global-internet-disruptors-russian-gru-hackers-indicted
In the new attack campaign, discovered and investigated by Poland's Military Counterintelligence Service and the CERT Polska (CERT.PL), the APT29 hackers targeted selected personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European countries inviting them to meetings or to collaborate on documents. The emails had PDF attachments that contained links to supposedly external calendars, meeting details, or work files. The links led to web pages that used JavaScript code to decode a payload and offer it for download. This script, which uses an HTML Smuggling technique, served files with .ISO, .ZIP or .IMG attachments.
APT29 has used .ISO files for malware distribution before, but the use of.IMG (disk image) files are a new technique. ISO and IMG files are automatically mounted as a virtual disk when opened in Windows, and the user can access the files within. In this case, the files were Windows shortcuts (LNK) that launched a legitimate executable, loading a malicious DLL.
This technique is known as DLL side-loading and involves attackers delivering an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory. The attackers must only provide a malicious DLL with the same name to accompany the file. By using a legitimate file to load malicious code in memory, attackers hope to evade detection by security tools that might have that file whitelisted.
See: https://redskyalliance.org/xindustry/07734-qbot-the-calculator-episode
The first payload of the attack is a custom malware dropper that the Polish researchers dubbed SNOWYAMBER. This lightweight program collects basic computer information and contacts a command-and-control server hosted on Notion. so, an online workspace collaboration service. The goal of this dropper is to download and execute additional malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons. Both are commercial post-exploitation frameworks intended for penetration testers but have also found adoption with attackers.
A variant of SNOWYAMBER was detected and reported publicly by Recorder Future in October 2022, but Polish researchers found a new variant with additional anti-detection routines in February 2023. SNOWYAMBER is not the only malware dropper used by APT29. In February 2023, the group was seen using another payload they dubbed HALFRIG that was also used to deploy Cobalt Strike. Instead of downloading it from a Command-and-Control server, it decrypted it from shellcode. In March 2023, the hackers were seen using another tool named QUARTERRIG that shares part of its codebase with HALFRIG.
Using multiple droppers in a relatively short time frame suggests that the attackers are quickly adapting and replacing tools identified by the security community and no longer deliver the same success rate.
"At the time of publication of the report, the campaign is still ongoing and in development," the Polish government said in its advisory. "The aim of publishing the advisory is to disrupt the ongoing espionage campaign, impose an additional cost of operations against allied nations, and enable the detection, analysis, and tracking of the activity by affected parties and the wider cyber security industry."
The list of targets of interest for APT29 includes government and diplomatic entities (foreign ministries, embassies, diplomatic staff, and those working in international locations), international organizations, and non-governmental organizations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.
The Polish Military Counterintelligence Service and CERT.PL recommend organizations that think they might be a target to implement the following defensive measures:
- Block the ability to mount disk images on the file system as most users do not need this functionality.
- Monitor the mounting of disk image files by users with administrator roles.
- Enable and configure attack surface reduction rules.
- Configure software restriction policy.
- Block the possibility of starting executable files from unusual locations (in particular, temporary directories, %localappdata%, and subdirectories and external media).
The Polish government's advisory also includes indicators of compromise that can be used to build detection for the known malware samples.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.csoonline.com/article/3693252/russian-cyberspies-hit-nato-and-eu-organizations-with-new-malware-toolset.html#
Comments