{"id":166496,"date":"2024-08-03T14:38:24","date_gmt":"2024-08-03T14:38:24","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=166496"},"modified":"2024-08-03T14:38:26","modified_gmt":"2024-08-03T14:38:26","slug":"russia-apt-headlace-malware","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/166496\/apt\/russia-apt-headlace-malware.html","title":{"rendered":"Russia-linked APT used a car for sale as a phishing lure to target diplomats with HeadLace malware"},"content":{"rendered":"
<\/div>\n

A Russia-linked APT used a car for sale as a phishing lure to deliver a modular Windows backdoor called\u00a0HeadLace.<\/gwmw><\/h2>\n\n\n\n

Palo Alto researchers reported that a Russia-linked threat actor known as Fighting Ursa (also identified as APT28<\/a>, Fancy Bear<\/a>, or Sofacy<\/a>) used a fake car advertisement to distribute HeadLace<\/a> backdoor malware, targeting diplomats. The campaign began around March 2024, the attackers leveraged phishing tactics that have been effective against diplomats for years, exploiting themes that prompt targets to engage with malicious content.<\/p>\n\n\n\n

The experts attribute the March 2024 campaign to Fighting Ursa with a medium to high level of confidence. The APT group targeted diplomats and relied on public and free services to host various stages of the attack. <\/p>\n\n\n\n

Unit 42 pointed out that other threat groups, like \u00a0Cloaked Ursa<\/a>, in 2023 used an advertisement for a BMW for sale<\/a> to target diplomatic missions within Ukraine. <\/gwmw><\/p>\n\n\n\n

In June 2023, researchers at Insikt Group observed Russian GRU\u2019s unit\u00a0APT28<\/a>\u00a0targeting networks across Europe with information-stealer Headlace and credential-harvesting web pages. The experts observed the APT deploying Headlace in three distinct phases from April to December 2023, respectively, using phishing, compromised internet services, and living off the land binaries. The credential harvesting pages were designed to target Ukraine\u2019s Ministry of Defence, European transportation infrastructures, and an Azerbaijani think tank. The credential harvesting pages created by the group can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers. <\/p>\n\n\n\n

The compromise of networks associated with Ukraine\u2019s Ministry of Defence and European railway systems could allow attackers to gather intelligence to influence battlefield tactics and broader military strategies. Additionally, their interest in the Azerbaijan Center for Economic and Social Development indicates a potential agenda to understand and possibly influence regional policies. Insikt Group speculated the operation was aimed at influencing regional and military dynamics.<\/gwmw><\/p>\n\n\n\n

Earlier this May, the threat actor Fighting Ursa exploited Webhook.site, a legitimate service, to initiate the infection chain by hosting a malicious HTML page. This page, submitted to VirusTotal on March 14, 2024, included scripts to determine if the visitor\u2019s computer was running Windows. Non-Windows users were redirected to a decoy image hosted on ImgBB. The HTML also created a ZIP archive from Base64 text for download, leveraging JavaScript to automate the process. Attackers employed a decoy image, featuring an Audi Q7 Quattro SUV and falsely advertising it as a “Diplomatic Car For Sale,” included fake contact details and aimed to lend credibility to the phishing scheme.<\/p>\n\n\n\n

\"APT28<\/a><\/figure>\n\n\n\n

<\/p>\n\n\n\n

The three contained three files, a copy of the legitimate Windows calculator executable calc.exe that masquerades as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch file (“zqtxmo.bat”).<\/p>\n\n\n\n

The file IMG-387470302099.jpg.exe\u00a0is used to sideload the DLL file\u00a0WindowsCodecs.dll, which is a component of the\u00a0HeadLace<\/a>\u00a0backdoor that runs the batch script. In turn the script executes a Base64-encoded command to retrieve a file from another webhook[.]site URL.<\/p>\n\n\n\n

“The batch file saves content from this second Webhook.site URL as\u00a0IMG387470302099.jpg\u00a0in the user’s downloads directory. It then moves the downloaded file into the\u00a0%programdata%\u00a0directory and changes the file extension from\u00a0.jpg\u00a0to\u00a0.cmd.” reads the analysis<\/strong><\/a> published by Palo Alto Networks. “Finally, the batch file executes\u00a0IMG387470302099.cmd, then deletes itself as a way to remove any obvious trace of malicious activity.” <\/em><\/p>\n\n\n\n

The experts believe that the Fighting Ursa group will continue to use legitimate web services in its attack infrastructure. <\/p>\n\n\n\n

“The infrastructure the group uses has constantly changed and evolved, as noted in a\u00a0recent report<\/a>\u00a0from Recorded Future. Other industry reports have also shown various lures this actor uses in attempts to drop HeadLace malware.” concludes the report.<\/p>\n\n\n\n

Defenders are recommended to limit access to these or similar hosting services as necessary. Organizations should scrutinize the use of these free services to identify possible attack vectors.<\/gwmw><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a><\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, APT28)<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

A Russia-linked APT used a car for sale as a phishing lure to deliver a modular Windows backdoor called\u00a0HeadLace. Palo Alto researchers reported that a Russia-linked threat actor known as Fighting Ursa (also identified as APT28, Fancy Bear, or Sofacy) used a fake car advertisement to distribute HeadLace backdoor malware, targeting diplomats. The campaign began […]<\/p>\n","protected":false},"author":1,"featured_media":166503,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[6054,3323,5,6,7],"tags":[2767,15254,4112,9508,9506,10918,30,687,45,841,1533],"class_list":["post-166496","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-apt","category-breaking-news","category-hacking","category-intelligence","category-malware","tag-apt28","tag-fighting-ursa","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-malware-2","tag-pierluigi-paganini","tag-russia","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司