Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russia-Linked APT29 Uses New Malware in Embassy Attacks

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.

Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.

In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador.

A compromised site containing the text “Ambassador’s schedule November 2022” was used as a lure to infect visitors with new malware called GraphicalNeutrino.

The threat, which uses the US-based business automation service Notion for command and control (C&C), is a loader that packs numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption.

According to Recorded Future, which tracks the activity as BlueBravo (PDF), the staging and deployment of the malware is similar to previously observed tactics, techniques, and procedures (TTPs) attributed to APT29.

The lure webpage contained within HTML code an obfuscated ZIP file set to be automatically downloaded on the visitors’ system, showing overlaps with previous observed deployment of the EnvyScout dropper.

The ZIP file contains two DLLs and a benign executable masquerading as a PDF, which was designed to load the libraries using DLL search order hijacking. One of the DLLs contains the GraphicalNeutrino malware, implemented in a thread spawned when the library is initialized.

Advertisement. Scroll to continue reading.

When launched, GraphicalNeutrino attempts to remove API hooks from specific modules, checks whether persistence is required (which it achieves by creating a new registry key), and then establishes communication with the C&C.

The malware creates a unique identifier for the victim, based on username and computer name, adds the ItIEQ prefix to it, and then uses a Notion API database query filter to determine whether the victim has previously connected to the C&C.

A second, nearly identical GraphicalNeutrino sample that Recorded Future identified and which was compiled only two days after the first, contained only small changes, such as a different Notion database ID, a new identifier prefix, a new key for string decryption, a renamed DLL export function, and modified wait time for C&C communication.

“While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures,” Recorded Future notes.

Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

Related: Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...