The Polish authorities warns {that a} cyberespionage group linked to Russia’s intelligence providers is focusing on diplomatic and international ministries from NATO and EU member states in an ongoing marketing campaign that makes use of beforehand undocumented malware payloads. The group, identified within the safety business as APT29, Cozy Bear, and NOBELIUM, is believed to be a part of Russia’s International Intelligence Service (SVR) and is the group behind the 2020 provide chain assault towards software program firm SolarWinds that led to the compromise of 1000’s of organizations worldwide.
Within the new assault marketing campaign, found and investigated by Poland’s Navy Counterintelligence Service and the CERT Polska (CERT.PL), the APT29 hackers focused chosen personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European nations inviting them to conferences or to collaborate on paperwork. The emails had PDF attachments that contained hyperlinks to supposedly exterior calendars, assembly particulars or work information. The hyperlinks led to net pages that used JavaScript code to decode a payload and supply it for obtain. This script, which makes use of a way known as HTML Smuggling, served information with .ISO, .ZIP or .IMG attachments.
Assault marketing campaign makes use of DLL sideloading
APT29 has used .ISO information for malware distribution earlier than, however the usage of .IMG (disk picture) information is a brand new approach. Each ISO and IMG information are robotically mounted as a digital disk when opened in Home windows and the person can entry the information contained inside. On this case, the information had been Home windows shortcuts (LNK) that launched a reliable executable, which in flip loaded a malicious DLL.
This method is called DLL sideloading and entails attackers delivering a an executable file belonging to a reliable utility that’s identified to load a DLL library with a selected title from the identical listing. The attackers solely have to supply a malicious DLL with the identical title to accompany the file. Through the use of a reliable file to load malicious code in reminiscence, attackers hope to evade detection by safety instruments which may have that file whitelisted.
The primary payload of the assault is a customized malware dropper that the Polish researchers dubbed SNOWYAMBER. This can be a light-weight program that collects primary details about the pc and contacts a command-and-control server hosted on Notion.so, a web based workspace collaboration service. The purpose of this dropper is to obtain and execute further malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons. Each are industrial post-exploitation frameworks meant for penetration testers however which have discovered adoption with attackers, too.
A variant of SNOWYAMBER was detected and reported publicly by Recorder Future in October 2022, however a brand new variant with further anti-detection routines was discovered by the Polish researchers in February 2023. SNOWYAMBER is just not the one malware dropper utilized by APT29. In February, the group was seen utilizing one other payload they dubbed HALFRIG that was additionally used to deploy Cobalt Strike. Nonetheless, as an alternative of downloading it from a command-and-control server, it decrypted it from shellcode. In March, the hackers had been seen utilizing yet one more instrument dubbed QUARTERRIG that shares a part of its codebase with HALFRIG.
The usage of a number of droppers in a comparatively quick timespan means that the attackers are shortly adapting and changing instruments which might be recognized by the safety group and not ship the identical success price.
APT29 espionage marketing campaign is ongoing
“On the time of publication of the report, the marketing campaign continues to be ongoing and in improvement,” the Polish authorities stated in its advisory. “The intention of publishing the advisory is to disrupt the continuing espionage marketing campaign, impose further value of operations towards allied nations and allow the detection, evaluation and monitoring of the exercise by affected events and the broader cyber safety business.”
The listing of targets within the space of curiosity for APT29 embrace authorities entities, diplomatic entities (international ministries, embassies, diplomatic employees and people working in worldwide entities), worldwide organizations, and non-governmental organizations. Whereas the assaults targeted primarily on EU and NATO entities, some targets had been additionally noticed in Africa.
The Polish Navy Counterintelligence Service and CERT.PL advocate organizations that suppose they may be a goal to implement the next defensive measures:
- Block the flexibility to mount disk photos on the file system as most customers do not want this performance.
- Monitor the mounting of disk picture information by customers with administrator roles.
- Allow and configure assault floor discount guidelines.
- Configure software program restriction coverage.
- Block the potential for beginning executable information from uncommon areas (specifically, non permanent directories, %localappdata% and subdirectories and exterior media).
The Polish authorities’s advisory additionally contains indicators of compromise that can be utilized to construct detection for the identified malware samples.
Copyright © 2023 IDG Communications, Inc.
