A Russia-linked menace actor has been linked to a brand new marketing campaign that employed a automobile on the market as a phishing lure to ship a modular Home windows backdoor known as HeadLace.
“The marketing campaign seemingly focused diplomats and commenced as early as March 2024,” Palo Alto Networks Unit 42 mentioned in a report revealed at this time, attributing it with medium to excessive degree of confidence to APT28, which can be known as BlueDelta, Fancy Bear, Combating Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
It is value noting that car-for-sale phishing lure themes have been beforehand put to make use of by a distinct Russian nation-state group known as APT29 since July 2023, indicating that APT28 is repurposing profitable ways for its personal campaigns.
Earlier this Could, the menace actor was implicated in a collection of campaigns concentrating on networks throughout Europe with the HeadLace malware and credential-harvesting net pages.
The assaults are characterised by means of a reputable service generally known as webhook[.]website – a hallmark of APT28’s cyber operations together with Mocky – to host a malicious HTML web page, which first checks whether or not the goal machine is operating on Home windows and if that’s the case, provides a ZIP archive for obtain (“IMG-387470302099.zip”).
If the system will not be Home windows-based, it redirects to a decoy picture hosted on ImgBB, particularly an Audi Q7 Quattro SUV.
Current throughout the archive are three information: The reputable Home windows calculator executable that masquerades as a picture file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary is used to sideload the malicious DLL, a part of the HeadLace backdoor that is designed to run the batch script, which, in flip, executes a Base64-encoded command to retrieve a file from one other webhook[.]website URL.
This file is then saved as “IMG387470302099.jpg” within the customers’ downloads folder and renamed to “IMG387470302099.cmd” previous to execution, after which it is deleted to erase traces of any malicious exercise.
“Whereas the infrastructure utilized by Combating Ursa varies for various assault campaigns, the group ceaselessly depends on these freely out there companies,” Unit 42 mentioned. “Moreover, the ways from this marketing campaign match with beforehand documented Combating Ursa campaigns, and the HeadLace backdoor is unique to this menace actor.”