APT28 Employs a Phishing Lure for Car Sales to Target Diplomats with HeadLace Malware
APT28 Employs a Phishing Lure for Car Sales to Target Diplomats with HeadLace Malware
A new campaign that utilized an automobile for sale as a phishing lure to deliver a modular Windows backdoor known as HeadLace has been associated with a threat actor affiliated with Russia.
“The campaign likely targeted diplomats and began as early as March 2024,” Palo Alto Networks Unit 42 stated in a report published on August 2, 2024. The report attributes the campaign with a medium to high level of confidence to APT28, which is also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
It is important to mention that APT29, a distinct Russian nation-state group, has previously employed car-for-sale phishing lure themes since July 2023. This suggests that APT28 reuses effective strategies for its own campaigns.
The threat actor was involved in a series of campaigns that targeted networks throughout Europe with the HeadLace malware and credential-harvesting web pages earlier this May.
The attacks are distinguished by the utilization of legitimate service, webhook[.]site, which is a hallmark of APT28’s cyber operations, in conjunction with Mocky. This service is used to host a malicious HTML page that initially determines whether the target machine is running on Windows and, if so, provides a ZIP archive for download (“IMG-387470302099.zip”).
If the system is not Windows-based, it directs to a fake picture hosted on ImgBB, particularly an Audi Q7 Quattro SUV.
The archive contains three files: a batch script (“zqtxmo.bat”), a DLL (“WindowsCodecs.dll”), and the legitimate Windows calculator executable that is disguised as an image file (“IMG-387470302099.jpg.exe”).
In order to execute the batch script, which in turn executes a Base64-encoded command to obtain a file from another webhook[.]site URL, the malicious DLL is sideloaded using the calculator binary. This DLL is a component of the HeadLace backdoor.
This file is subsequently stored as “IMG387470302099.jpg” in the users’ downloads folder and renamed to “IMG387470302099.cmd” before execution. Subsequently, it is deleted to eliminate any evidence of malicious activity.
“While the facility utilized by Fighting Ursa varies depending on the attack campaigns, the group frequently relies on these freely available services,” the Unit 42 spokesperson stated. “Moreover, the tactics from this campaign fit with previously reported Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
READ MORE ARTICLE HERE
APT33: A Deeper Dive into a Famous Cyber Espionage Group
An Overview of APT 29: The Elusive Threat Group
About Author
English