16 March 2023

Russian cyber spies target govt agencies in EU that assist Ukraine


Russian cyber spies target govt agencies in EU that assist Ukraine

The Russia-linked threat actor Nobelium has been observed targeting diplomatic entities and government agencies in European Union countries that are aiding Ukrainian citizens and providing help to the country’s government.

Nobelium (aka APT29, Cozy Bear, The Dukes, StellarParticle, UNC2452, and Dark Halo) is a military hacking unit linked to the Russian government. Nobelium is believed to be the group behind the massive SolarWinds supply-chain attack that led to the compromise of several US federal agencies.

The threat actor has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. The group’s arsenal includes a variety of tactics to conduct credential theft, as well as sophisticated malware and tools, such as SUNBURST backdoor, TEARDROP, GoldMax, GoldFinder, and Sibot malware.

The recent Nobelium’s campaign spotted BlackBerry researchers in March 2023 involved phishing emails purportedly sent by the European Commission and Poland’s Ministry of Foreign Affairs. The malicious emails contained a weaponized document with a link leading to the download of an HTML file. The weaponized URLs were hosted on a legitimate online library website based in El Salvador, which the threat actor is believed to have compromised between the end of January and the beginning of February.

The threat actor has been observed using multiple legitimate systems, including LegisWrite and eTrustEx, which the EU nations use for information exchange and secure data transfer.

“Using a compromised legitimate server to host the packed malware payload increases the chances of a successful installation on the victims’ machines,” BlackBerry noted.

An analysis of the malicious HTML file revealed that it was a version of Nobelium’s malicious dropper known as ROOTSAW/ EnvyScout. It uses a technique known as HTML smuggling to deliver an IMG or ISO file to the victim’s system. The HTML file drops two “.iso” files on the system, each of them contains two files.

One of the files is BugSplatRc64.dll designed to collect and exfiltrate information about the infected system. This information is then used to create the victim’s unique identifier, which it then sends to the command-and-control (C2) server, Notion. Every minute the BugSplatRc64.dll connects to the Notion server, waiting for the next payload. If successful, the payload is executed as a shellcode in the memory of its process.

“Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland's Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection,” BlackBerry notes.

Back to the list

Latest Posts

Tornado Cash users’ funds at risk due to malicious code

Tornado Cash users’ funds at risk due to malicious code

The exploit primarily targeted users accessing Tornado Cash via IPFS gateways, like ipfs.io and cf-ipfs.com.
27 February 2024
Ransomware attack on Optum subsidiary disrupts healthcare services across the US

Ransomware attack on Optum subsidiary disrupts healthcare services across the US

The attack compromised Change Healthcare's IT systems, leading to widespread disruptions in pharmacy services across the US.
27 February 2024
New IDAT Loader variant uses steganography to deliver Remcos RAT

New IDAT Loader variant uses steganography to deliver Remcos RAT

While focusing their strategic efforts on entities in Ukraine, UAC-0184 seemingly aimed to broaden their scope to include further entities associated with Ukraine.
27 February 2024