Pierluigi Paganini
May 02, 2022
In mid-January 2022, security researchers from Mandiant have spotted a spear-phishing campaign, launched by the Russia-linked APT29 group, on targeting diplomats and government entities.
The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The messages used in the recent campaign uncovered by Mandiant, are sent from compromised email addresses belonging to embassies. The phishing emails masqueraded as administrative notices related to various embassies. Nation-state actors used Atlassian Trello, DropBox, and cloud services, as part of their command and control (C2) infrastructure.
The experts observed multiple waves of attacks between January 2022 and March 2022.
“APT29 targeted large lists of recipients that Mandiant suspected were primarily publicly listed points of contact of embassy personnel. These phishing emails utilized a malicious HTML dropper tracked as ROOTSAW, that makes use of a technique known as HTML smuggling to deliver an IMG or ISO file to a victim system.” reads the analysis published by Mandiant.
The messages used the HTML smuggling technique to deliver an IMG or ISO file to the victims.
The ISO image contains a Windows shortcut file (LNK), that executed an embedded malicious DLL file when clicked. Upon opening the attachment, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. The image file contains a Windows shortcut (LNK) file and a malicious DLL. One clicked the LNK file, the malicious DLL is executed. To trick the victim into clicking the LNK file, attackers used a fake icon to trick the victim into believing that the file is a legitimate document file.
Once executed the DLL, the BEATDROP downloader is delivered and executed in memory.
“BEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own copy of ntdll.dll into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a suspended thread with RtlCreateUserThread which points to NtCreateFile.” continues the report. “Following this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information is used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already been compromised.”
Experts also reported that APT29 replaced BEATDROP with a new C++ BEACON loader based on Cobalt Strike. The beacon implements backdoor capabilities, including
These capabilities include keylogging, taking screenshot, harvesting account credentials, exfiltrating data, port scanning, and more.
Once gained a foothold in the target network, APT29 quickly attempt to escalate privileges, in some cases the attackers were able to gain Domain Admin in less than 12 hours from the phishing attack.
Once the threat actors have established access, they perform extensive reconnaissance of hosts and the Active Directory environment. The APT group was also observed conducting on-host reconnaissance to harvest credentials.
During this phishing campaign, the APT29 group was observed utilizing multiple malware families, including BEATDROP and BOOMMIC loaders, ROOTSAW dropper HTML file, and the BEACON backdoor.
The report includes indicators of compromise (IoCs), detection rules, and MITRE ATT&CK TTPs.
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, APT)
[adrotate banner=”5″]
[adrotate banner=”13″]
