A Russia-linked menace actor has been linked to a brand new marketing campaign that employed a automobile on the market as a phishing lure to ship a modular Home windows backdoor known as HeadLace.
“The marketing campaign doubtless focused diplomats and started as early as March 2024,” Palo Alto Networks Unit 42 stated in a report revealed right now, attributing it with medium to excessive degree of confidence to APT28, which can also be known as BlueDelta, Fancy Bear, Preventing Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
It is price noting that car-for-sale phishing lure themes have been beforehand put to make use of by a special Russian nation-state group known as APT29 since July 2023, indicating that APT28 is repurposing profitable ways for its personal campaigns.
Earlier this Might, the menace actor was implicated in a collection of campaigns concentrating on networks throughout Europe with the HeadLace malware and credential-harvesting net pages.
The assaults are characterised by means of a authentic service referred to as webhook[.]website – a trademark of APT28’s cyber operations together with Mocky – to host a malicious HTML web page, which first checks whether or not the goal machine is working on Home windows and in that case, presents a ZIP archive for obtain (“IMG-387470302099.zip”).
If the system isn’t Home windows-based, it redirects to a decoy picture hosted on ImgBB, particularly an Audi Q7 Quattro SUV.
Current inside the archive are three recordsdata: The authentic Home windows calculator executable that masquerades as a picture file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary is used to sideload the malicious DLL, a element of the HeadLace backdoor that is designed to run the batch script, which, in flip, executes a Base64-encoded command to retrieve a file from one other webhook[.]website URL.
This file is then saved as “IMG387470302099.jpg” within the customers’ downloads folder and renamed to “IMG387470302099.cmd” previous to execution, after which it is deleted to erase traces of any malicious exercise.
“Whereas the infrastructure utilized by Preventing Ursa varies for various assault campaigns, the group often depends on these freely accessible companies,” Unit 42 stated. “Moreover, the ways from this marketing campaign match with beforehand documented Preventing Ursa campaigns, and the HeadLace backdoor is unique to this menace actor.”