Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Russian Cyberspies Target Diplomats With New Malware

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Also known as Cozy Bear, the Dukes, and Yttrium, APT29 is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack that led to hundreds of organizations getting breached.

Reports on APT29’s targeting of diplomatic entities – including the 2016 attacks against the Democratic National Committee (DNC) and a November 2018 attempt to infiltrate DNC – stretch for over half a decade, with some reports tracing the group’s activity as far back as 2013.

In attacks carried out in 2022, Mandiant’s security researchers, who have been tracking extensive APT29 phishing campaigns since early 2021, have observed the use of new malware families, along with a change in the group’s tooling to evade detection.

According to the researchers, who last week officially attributed the Solarwinds attacks to APT29, “the diplomatic-centric targeting of this recent activity is consistent with Russian strategic priorities as well as historic APT29 targeting.”

Mandiant has been tracking APT29’s new phishing campaigns against diplomatic and government entities since mid-January, and says that the observed emails – which masquerade as administrative notices – show close similarities with Nobelium phishing attacks analyzed in 2021.

The emails targeted a large number of recipients, likely “primarily publicly listed points of contact of embassy personnel.” The malicious messages carried the ROOTSAW HTML dropper, which would write an IMG or ISO file to disk.

The attacks employed new downloaders, which Mandiant tracks as BEATDROP and BOOMMIC, and misused legitimate services such as Atlassian’s Trello, Firebase, and Dropbox for command and control (C&C) functionality.

[ READ: SolarWinds Hackers Use New Malware in Recent Attacks ]

Written in C, BEATDROP uses Trello for C&C, and was typically used to deploy a malicious payload onto the compromised systems. In February 2022, the attackers switched from using BEATDROP for the delivery of Cobalt Strike Beacon via a third-party service to employing a novel C++ Beacon dropper.

Typically, within minutes after a successful BEATDROP deployment, BOOMMIC (also known as VaporRage) was used to establish a foothold within the network, achieve persistence, and fetch shellcode payloads and load them into memory.

After establishing access, the attackers were also observed attempting to escalate privileges, often gaining Domain Admin access less than 12 hours after initial compromise. APT29 would employ multiple techniques to escalate privileges, including exploiting misconfigured certificate templates to impersonate administrator users.

Next, the group would perform extensive reconnaissance – including searching hosts for credentials, such as passwords stored in SYSVOL – and move laterally within the environment, using Cobalt Strike Beacon and impersonating privileged users (via malicious certificates).

“Mandiant has observed the group widely using scheduled tasks, run keys, malicious certificates, and in-memory backdoors, in some cases multiple per system. The use of these techniques and tools represents the multiple means by which APT29 attempts to maintain access within an environment,” the researchers note.

The purpose of these attacks, Mandiant believes, is to establish “multiple means of long-term access” to target environments, and to collect diplomatic and foreign policy information from various government entities worldwide.

Related: Defending Your Business Against Russian Cyberwarfare

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Related: CISA-FBI Alert: 350 Organizations Targeted in Attack Abusing Email Marketing Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...