The Russian government-backed threat actor known as APT28 has been observed using lures related to the Israel-Hamas conflict to deliver a custom backdoor named ‘Headlace,’ according to a recent report from the IBM X-Force threat research team.
The latest APT28 campaign (the adversary is also known in the cybersecurity community as UAC-028, Fancy Bear, Forest Blizzard (formerly Strontium), Sednit, Sofacy, TA422 and ITG05) is directed against targets based in at least 13 nations worldwide, including Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania.
The campaign involves phishing emails using lures associated with the United Nations, the Bank of Israel, the United States Congressional Research Service, the European Parliament, a Ukrainian think tank and an Azerbaijan-Belarus Intergovernmental Commission. These decoys are aimed at entities with direct influence on the allocation of humanitarian aid, primarily those based in Europe, the researchers said.
Some of the observed lure documents contained a .RAR archive exploiting the CVE-2023-38831 file extension spoofing vulnerability, while others used DLL-hijacking to run the Headlace backdoor.
Headlace is a multi-component malware including a dropper, a VBS launcher and a backdoor using MSEdge in headless mode to continuously download secondary payloads, likely to exfiltrate credentials and sensitive information.
IBM X-Force said they observed three execution chains used by the threat actor to deploy Headlace - two of them involve the exploitation of CVE-2023-38831 and the use of the DLL-hijacking, while the third method is direct execution via a fake Windows update script.
“X-Force assesses with high confidence that ITG05 will continue to leverage attacks against diplomatic and academic centers to provide the adversary with advanced insight into emergent policy decisions,” the team concluded.
Earlier this month, APT28 was observed exploiting a critical Net-NTLMv2 hash leak vulnerability (CVE-2023-23397) in the Microsoft Outlook email service to hijack email accounts on MS Exchange servers, as well as to target multiple European NATO member countries, including a NATO Rapid Deployable Corps.