Home Security APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure

APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure

by


Aug 02, 2024Ravie LakshmananCyber Espionage / Malware

A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.

“The campaign likely targeted diplomats and began as early as March 2024,” Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.

It’s worth noting that car-for-sale phishing lure themes have been previously put to use by a different Russian nation-state group called APT29 since July 2023, indicating that APT28 is repurposing successful tactics for its own campaigns.

Cybersecurity

Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.

The attacks are characterized by the use of a legitimate service known as webhook[.]site – a hallmark of APT28’s cyber operations along with Mocky – to host a malicious HTML page, which first checks whether the target machine is running on Windows and if so, offers a ZIP archive for download (“IMG-387470302099.zip”).

If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV.

Present within the archive are three files: The legitimate Windows calculator executable that masquerades as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).

The calculator binary is used to sideload the malicious DLL, a component of the HeadLace backdoor that’s designed to run the batch script, which, in turn, executes a Base64-encoded command to retrieve a file from another webhook[.]site URL.

This file is then saved as “IMG387470302099.jpg” in the users’ downloads folder and renamed to “IMG387470302099.cmd” prior to execution, after which it’s deleted to erase traces of any malicious activity.

“While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services,” Unit 42 said. “Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.





Source link

Related Articles

xxxanti beeztube.mobi hot sexy mp4 menyoujan hentaitgp.net jason voorhees hentai indian soft core chupatube.net youjzz ez2 may 8 2023 pinoycinema.org ahensya ng pamahalaan pakistani chut ki chudai pimpmovs.com www xvedio dost ke papa zztube.mobi 300mbfilms.in صور مص الزب arabporna.net نهر العطش لمن تشعر بالحرمان movierulz plz.in bustyporntube.info how to make rangoli video 穂高ゆうき simozo.net 四十路五十路 ロシアav javvideos.net 君島みお 無修正 افلام سكس في المطبخ annarivas.net فيلم سكس قديم rashmi hot videos porncorn.info audiosexstories b grade latest nesaporn.pro high school girls sex videos real life cam eroebony.info painfull porn exbii adult pics teacherporntrends.com nepali school sex