Security specialists have revealed a recent phishing attempt by Russian hackers identified as APT29 (Cozy Bear or Nobelium) targeting diplomats and government agencies. The APT29 is a state-sponsored cyberespionage group that has been active since 2014. The breadth of its targeting is decided by Russia’s present geopolitical strategic goals.
According to security experts at Mandiant, APT29 is using several phishing tactics to target diplomats and different government bodies. The messages appear to be from official email accounts belonging to embassies and purport to contain crucial policy changes. The use of Atlassian Trello and other genuine cloud service platforms for command and control (C2) communication is another significant component of this effort.
The spear-phishing effort began in January 2022 and ran until March 2022 in many waves, each with a different theme and several sender addresses. Because the phishing emails all came from a valid hacked diplomat’s email account, recipients would be more trusting of the material supplied in this manner. Mandiant discovered that the hacked addresses were provided as contact points on embassy websites.
The email employed HTML smuggling to send an IMG or ISO file to the recipient, a technique that APT29 has previously used with considerable success, particularly in the SolarWinds attacks. When a Windows shortcut file (LNK) was clicked in the ISO package, it ran an embedded malicious DLL file. The LNK file appears to be a document with the genuine extension concealed and a phony icon to fool the victim into clicking.
The BEATDROP downloader is sent due to the DLL execution. It runs in memory after establishing a suspended thread to inject itself into and connects to Trello for C2 communication. Trello is extensively used in business contexts. Therefore, leveraging its API for malicious network traffic is unlikely to cause security solutions to raise any red lights.
APT29 substituted BEATDROP with a new C++ BEACON loader based on Cobalt Strike with higher-level capabilities in later initiatives. The features include keylogging, screenshots, a proxy server mode, account credentials exfiltration, enumeration, and port scanning. BOOMIC, which Microsoft refers to as VaporRage, was identified and examined by both loaders in May 2021. BOOMIC was frequently side-loaded minutes after the loader was deployed.
BOOMIC achieves persistence by altering the Windows registry, after which it downloads and executes a variety of obfuscated shellcode payloads in memory. Mandiant discovered several legitimate infected websites acting as BOOMIC’s C2, preventing URL blocklisting issues. APT29 raises privileges in less than 12 hours after establishing a presence in an environment, employing multiple means to create files containing Kerberos tickets. They then advance laterally by placing more Cobalt Strike beacons and then BOOMIC on nearby systems, doing extensive network reconnaissance to discover valid pivoting points and snatching more valuable credentials.
“Analysis of SharedReality.dll identified it to be a memory-only dropper written in Go language that decrypts and executes an embedded BEACON payload. The BEACON payload was identified to be SMB BEACON that communicates over the SharedReality.dll Named Pipe,” Mandiant says. Despite professional threat intelligence teams’ ongoing and close monitoring of APT29, the organization remains a top-level espionage danger for high-interest targets.