An ongoing campaign targeting the foreign affairs ministries of NATO-aligned countries points to the involvement of Russian threat actors.
The phishing attacks involved PDF documents with diplomatic lures, some of which were disguised as coming from Germany, in order to distribute a variant of the malware called Duke, attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard and Dukes).
Dutch cybersecurity company EclecticIQ said in an analysis last week, “The threat actor used Zulip — an open-source chat application — for command-and-control to escape and hide its activities behind legitimate web traffic.”
The infection sequence is as follows: The PDF attachment, named “Farewell to the Ambassador of Germany”, comes with JavaScript code that initiates a multi-step process to release the malware.
The use of invitation subjects by APT29 has been previously reported by Lab52, which documented an attack that impersonated the Norwegian embassy to deliver a DLL payload that was able to contact a remote server to fetch additional payloads.
The use of the domain “bahamas.gov[.]bs” in both intrusion sets further strengthens this link.
Should a potential target succumb to the phishing trap by opening the PDF file, a malicious HTML dropper called Invitation_Farewell_DE_EMB is launched to execute JavaScript that drops a ZIP archive file, which, in turn, packs into an HTML Application (HTA) file designed to deploy To install the Duke malware.
Command-and-control is facilitated by making use of Zulip’s API to send victim details to an actor-controlled chat room (toyy.zulipchat[.]com) as well as to remotely commandeer the compromised hosts.
EclecticIQ said it has identified a second PDF file, possibly used by APT29 for reconnaissance or testing purposes.
“It contained no payload, but the actor was notified if a victim opened the email attachment by receiving a notification via the compromised domain edenparkweddings[.]com,” the researchers said.
It is worth noting that Zulip’s abuse is on par with the state-sponsored group, which has a track record of taking advantage of a wide range of legitimate Internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase and trello for C2.
APT29’s primary targets are governments and government subcontractors, political organizations, research firms, and critical industries in the US and Europe. But in an interesting twist, an unknown rival has been seen adapting its strategy to crack down on Chinese-speaking users with Cobalt Strike.
The developments come as Ukraine’s Computer Emergency Response Team (CERT-UA) warned of a new set of phishing attacks against Ukraine’s state organizations using a Go-based open-source post-exploit toolkit called Merlin. . The activity is being tracked under the alias UAC-0154.
The war-torn country has also faced sustained cyber attacks from Sandworm, an elite hacking unit affiliated with Russian military intelligence whose main objective is to disrupt vital operations and gather intelligence to gain strategic advantage.
According to a recent report by the Security Service of Ukraine (SBU), the intimidator is said to have tried unsuccessfully to gain unauthorized access to Android tablets possessed by Ukrainian military personnel for planning and performing combat operations .
“The capture of devices on the battlefield, their detailed examination, and the use of available access and software became the primary vector for early access and malware distribution,” the security agency said.
Some of the malware strains include NETD to ensure persistence, DROPBEAR to establish remote access, STL to collect data from Starlink satellite system, DEBLIND to exfiltrate data, Mirai botnet malware. The attacks also used the TOR hidden service to access devices on the local network via the Internet.
