The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29’s dangerous malware which seems to be involved in the recent wave of attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.
“The Department is aware of the recent malicious cyber event involving the spoofing (impersonation) of a Department employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt.” reads the statement released by the State Department.
Many experts and media outlets attributed the attack to the Russian APT group.
Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets, the attacks are similar to the ones associated with Russia-linked group APT29 (aka The Dukes, Cozy Bear, and Cozy Duke).
APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
Moreover, many independent security researchers posted on Twitter about this news and currently, they are busy with the analysis of this threat.
Looking at (alleged) #APT29 LNK 2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c – simple, yet effective, evasion for people just grabbing shit from VT and such and trying to run the damn thing. pic.twitter.com/rpuHZnQ3F6
— Joe Słowik 🌻 (@jfslowik) November 16, 2018
Great work @jfslowik https://t.co/9ZXf8yfFYa
— Drunk Binary (@DrunkBinary) November 16, 2018
The threat actors have spread the malware through spear-phishing messages containing a zip file as an attachment. This file simply contains a link (.lnk) file with incredible capabilities.
When the victim double-clicks on the link file, it starts different malicious activities:
At the time of the analysis, it is not yet clear the real purpose of the malware because the C2C is down. Moreover, it doesn’t seem to implement any techniques to get persistence on the infected system.
Experts will publish a detailed technical analysis of the malicious DLL in the forthcoming weeks.
Stay tuned!
Below IoCs for themalware
IP:
URL:
HASH:
FILENAME:
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – APT29, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]