Russia-Linked APT29 Uses New Malware in Embassy Attacks

Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.

Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.

In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador.

A compromised site containing the text “Ambassador’s schedule November 2022” was used as a lure to infect visitors with new malware called GraphicalNeutrino.

The threat, which uses the US-based business automation service Notion for command and control (C&C), is a loader that packs numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption.

According to Recorded Future, which tracks the activity as BlueBravo (PDF), the staging and deployment of the malware is similar to previously observed tactics, techniques, and procedures (TTPs) attributed to APT29.

The lure webpage contained within HTML code an obfuscated ZIP file set to be automatically downloaded on the visitors’ system, showing overlaps with previous observed deployment of the EnvyScout dropper.

The ZIP file contains two DLLs and a benign executable masquerading as a PDF, which was designed to load the libraries using DLL search order hijacking. One of the DLLs contains the GraphicalNeutrino malware, implemented in a thread spawned when the library is initialized.

When launched, GraphicalNeutrino attempts to remove API hooks from specific modules, checks whether persistence is required (which it achieves by creating a new registry key), and then establishes communication with the C&C.

The malware creates a unique identifier for the victim, based on username and computer name, adds the ItIEQ prefix to it, and then uses a Notion API database query filter to determine whether the victim has previously connected to the C&C.

A second, nearly identical GraphicalNeutrino sample that Recorded Future identified and which was compiled only two days after the first, contained only small changes, such as a different Notion database ID, a new identifier prefix, a new key for string decryption, a renamed DLL export function, and modified wait time for C&C communication.

“While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures,” Recorded Future notes.

Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability

Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers

Related: Microsoft Details New Post-Compromise Malware Used by Russian Cyberspies