A recent phishing attempt by Russian hackers identified as APT29 (Cozy Bear or Nobelium) targeted diplomats and government agencies, according to security specialists.
The APT29 is a state-sponsored cyber-espionage group that has been active since at least 2014. The breadth of its targeting is decided by Russia’s current geopolitical strategic interests.
APT29 is using several phishing tactics to target diplomats and various government bodies, according to threat analysts at Mandiant.
The mails appear to be from official email addresses belonging to embassies and purport to contain crucial policy updates.
The use of Atlassian Trello and other genuine cloud service platforms for command and control (C2) communication is another noteworthy component of this effort.
Details on the phishing campaign
The spear-phishing campaign began in January 2022 and ran until March 2022 in several waves, each with a different theme and multiple sender addresses.
Because the phishing emails all came from a valid hacked diplomat’s email address, recipients would be more trusting of the content supplied this manner.
The compromised addresses were provided as contact points on embassy websites, according to Mandiant.
The email employed HTML smuggling to send an IMG or ISO file to the recipient, a technique that APT29 has used with considerable success in the past, particularly in the SolarWinds assaults.
When a Windows shortcut file (LNK) was clicked in the ISO archive, it executed an embedded malicious DLL file.
The LNK file pretends to be a document file with the genuine extension hidden and a phony icon to fool the victim into clicking.
Drop of malware
The BEATDROP downloader is delivered as a result of the DLL execution, and it runs in memory after creating a suspended thread to inject itself into and connects to Trello for C2 communication.
Trello is widely utilized in corporate environments, therefore leveraging its API for malicious network traffic is unlikely to cause security products to raise any red flags.
APT29 replaced BEATDROP with a new C++ BEACON loader based on Cobalt Strike that has higher-level capabilities in later initiatives.
Keylogging, screenshots, a proxy server mode, account credentials exfiltration, enumeration, and port scanning are among the capabilities.
BOOMIC, which Microsoft refers to as VaporRage, was identified and examined by both loaders in May 2021. BOOMIC was frequently side-loaded minutes after the loader was deployed.
BOOMIC achieves persistence by altering the Windows registry, after which it downloads and executes a variety of obfuscated shellcode payloads in memory.
Mandiant discovered a number of legitimate infected websites acting as BOOMIC’s C2, preventing URL blocklisting issues.
Lateral movement is when you move from one side to the other
APT29 raises privileges in less than 12 hours after establishing a presence in an environment, employing multiple means such as creating files containing Kerberos tickets.
They then advance laterally by dropping more Cobalt Strike beacons and then BOOMIC on nearby systems, doing extensive network reconnaissance to discover valid pivoting points and snatching more valuable passwords.
“SharedReality.dll was discovered to be a memory-only dropper built in Go that decrypts and executes an embedded BEACON payload,” according to the analysis. SMB BEACON, which interacts across the SharedReality.dll Named Pipe, was identified as the BEACON payload, according to Mandiant.
“APT29 was then seen copying SharedReality.dll to the Temp directory of many systems while impersonating a privileged user.” The group then installed and launched a scheduled job named SharedRealitySvcDLC to deploy it. The planned task was promptly erased after it was completed.” – Mandatory
Despite professional threat intelligence teams’ ongoing and close monitoring of APT29, the group remains a top-level espionage danger for high-interest targets.
