Russia-linked cyberespionage group APT29 has been observed abusing two legitimate information exchange systems used by European countries, BlackBerry reports.
APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyberespionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium.
As part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister’s recent visit to the US as a lure.
Another lure, BlackBerry says, abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries.
“LegisWrite is an editing program that allows secure document creation, revision, and exchange between governments within the European Union. The fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union,” BlackBerry notes.
The malicious document includes a link leading to a HTML file hosted on a compromised online library website based in El Salvador. The file is APT29’s malicious dropper named RootSaw and EnvyScout, which relies on HTML smuggling to deploy an IMG or ISO file on the victim’s system.
In this campaign, an ISO file was dropped from the compromised domain. The image contains two files, a link (.lnk) file to run specified command line arguments, and a DLL library.
When run, the DLL achieves persistence via a newly created registry key and proceeds to collect information about the target system and send it to its command-and-control (C&C) server.
APT29 abuses the API of a commonly used note-taking application called Notion for C&C, which allows it to disguise its traffic as benign. In previous campaigns, the cyberespionage group was abusing the Trello API for C&C.
According to BlackBerry, the APT removed all metadata from the link file, to avoid leaking any information related to its operations systems.
“Based on the current geopolitical situation involving Russia’s invasion of Ukraine, the visit of Poland’s Ambassador to the United States and his talk about the war, and the abuse of the online system used to exchange documents inside the European Union, we believe the target of Nobelium’s campaign is Western countries, especially those in Western Europe, which provide help to Ukraine,” BlackBerry notes.
Related: Russia-Linked APT29 Uses New Malware in Embassy Attacks
Related: Analysis of Russian Cyberspy Attacks Leads to Discovery of Windows Vulnerability
Related: Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers