On Tuesday, cybersecurity experts revealed the details of a multi-stage espionage effort in Western Asia that targeted high-ranking government officials in charge of national security policy and personnel in the defense industry.
According to Trellix, a new business formed by the merging of security firms McAfee Enterprise and FireEye, the attack is unusual because it uses Microsoft OneDrive as a command-and-control (C2) server and is broken into as many as six phases to stay as inconspicuous as possible. The clandestine operation’s first signs of activity are believed to have shown on June 18, 2021, with two victims reported on September 21 and 29, followed by 17 more between October 6 and 8.
Based on similarities in the source code, attack indicators, and geopolitical aims, Trellix ascribed the attacks with intermediate confidence to the Russia-based APT28 organization, the threat actor behind the hack of SolarWinds in 2020. “We are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were set up,” as stated by Trellix security researcher Marc Elias.
The infection chain starts with a Microsoft Excel file that contains an exploit for the MSHTML remote code execution vulnerability (CVE-2021-40444), which is used to launch a malicious program that works as a downloader for Graphite, a third-stage malware. The DLL executable leverages OneDrive as a C2 server, retrieving further stager malware via the Microsoft Graph API, before downloading and executing Empire, an open-source PowerShell-based post-exploitation framework extensively used by threat actors for follow-on actions.
If anything, the development shows that the MSTHML rendering engine hole is still being exploited, with Microsoft and SafeBreach Labs revealing various campaigns that used the bug to install malware and distribute bespoke Cobalt Strike Beacon loaders.