Security researchers at Mandiant have released a report detailing a recent phishing campaign carried out by APT29 (aka Cozy Bear, Nobelium) against diplomatic and government entities.
APT29 is a Russian cyber espionage group believed to be associated with the Foreign Intelligence Service (SVR), which has been active since at least 2008. The threat actor primarily targets Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors.
In the recent phishing campaign the hackers were observed using two new malware families - BEATDROP and BOOMMIC downloaders, as well as abusing Atlassian Trello, and other legitimate cloud service platforms, for command and control (C2) communication.
To gain access to a victim environment, APT29 sent spearphishing emails disguised as embassy administrative updates. The phishing messages used legitimate but compromised email addresses from other diplomatic entities and leveraged a malicious HTML dropper tracked as ROOTSAW, that uses HTML smuggling to drop an IMG or ISO file on a victim system.
“When opened, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. On Windows 10 or later, the image file is mounted when double-clicked and the user is presented with the image file as the folder contents in Windows Explorer. The image file contains two additional files, a Windows shortcut (LNK) file and a malicious DLL. If the user clicks the LNK file, the “Target” command will execute as normal. This mechanism lures the victim into opening the LNK file and thus inadvertently launches the malicious DLL,” the report reads.
In a separate phishing campaign APT29 has been observed using a malicious document to deliver an HTA dropper and ultimately the BEATDROP malware on a target system. BEATDROP is a downloader written in C that makes use of Trello for C2.
APT29 has also been observed using the BOOMMIC (aka VaporRage) shellcode downloader to further establish a foothold within the environment.
The primary function of BOOMMIC is to download and load shellcode payloads into memory on a target. Once executed, BOOMMIC first checks if it is running under the process jucheck.exe, if it is not the program will exit.
“Mandiant anticipates sustained waves of phishing activity by APT29 that employ novel tools and infrastructure to hinder detection. While these campaigns are likely to be directed against diplomatic missions and foreign policy information as part of the group’s mandate to support Russian strategic interests, the invasion of Ukraine and heightened tensions between the West, Europe, and Russia are likely to influence the intensity and urgency of collection operations,” the cybersecurity firm concluded.
Cybersecurity Help statement on the critical situation in Ukraine
On February 24, people in many cities and towns across Ukraine woke up to the sounds of explosions and artillery fire, as the Russian Federation launched a full-scale invasion of the country. Such actions are unacceptable, political ambitions of any man aren’t worth of blood, tears, and destruction of millions of lives. We give our full support to the Ukrainian people in these hard times. No more war! Слава Україні!