The Bleeping Computer website disclosed that APT29 (also known as Nobelium, Cloaked Ursa), a suspected Russian-backed hacker group, is using unconventional "bait" such as second-hand BMW car advertisements to lure Western diplomats stationed in Ukraine to click on links with malware.
Over the past two years, the APT29 group has targeted high-value targets in NATO, the European Union, and Ukraine, using phishing emails or fake websites with foreign policy themes to infect targeted victims through secret backdoors. In a report published by Palo Alto Network Unit 42, the APT29 group has "evolved" its phishing tactics and is now using lures that are more attractive to recipients of phishing emails.
It is reported that in April 2023, a Polish diplomat who was about to leave Ukraine published a legitimate car sale advertisement. The cyber threat actor intercepted and imitated the advertisement, embedded malware in the advertisement, and then sent it to the public in Kiev. Dozens of other foreign diplomats working,
Malicious flyer sent by APT29 (Unit 42 team)
Once the recipient clicks on the "Get higher quality photos" link embedded in the malicious document, they are redirected to an HTML page that delivers the malicious ISO file payload via HTML. (HTML smuggling is a technique used in phishing campaigns that uses HTML5 and JavaScript to hide malicious payloads within HTML attachments or encoded strings on web pages.)
When a user opens an attachment or clicks on a link, the browser decodes these strings. At this time, the malicious code is obfuscated and decoded only when rendered in the browser. Cyber attackers use this technique to help circumvent security software. It is reported that the ISO file mainly contains nine PNG images, but they are actually LNK files, which can trigger the infection chain shown in the figure below.
The infection chain observed by the Unit 42 team
When a victim opens any LNK file disguised as a PNG image, a legitimate executable is launched that uses DLL sideloading to inject shellcode into the current process in memory.
Fake PNG files included in ISO archives (Unit 42 team)
The Unit 42 team pointed out that the cyber attack mainly targeted at least 22 missions out of more than 80 foreign missions in Kiev, mainly including missions from the United States, Canada, Turkey, Spain, the Netherlands, Greece, Estonia and Denmark. Currently, the infection rate of the victims is unknown.
It is worth mentioning that about 80% of the email addresses that received the malicious leaflets were published on the Internet, so it can be seen that the APT29 hacker group must have obtained another 20% of email addresses through compromising the accounts of targeted diplomats and intelligence gathering. email address.
Targeting Ukrainian embassy (Unit 42 team)
Another recent example of phishing launched by the APT29 group is a PDF sent to the Turkish Ministry of Foreign Affairs in early 2023 that directed humanitarian aid for the February earthquake that hit southern Turkey. The Unit 42 team said that due to the perfect timing of the attack, the malicious PDF file was likely shared among Foreign Ministry employees and forwarded to other organizations in Turkey.
Finally, the Unit 42 team noted that with the ongoing conflict between Russia and Ukraine and changing dynamics within NATO threatening to alter the geopolitical landscape, Russian cyberespionage groups are expected to continue and even intensify their attacks on diplomatic missions.