Government agencies are the recent target of an ongoing phishing campaign run by the Cozy Bear advance persistent threat group or the APT29. The threat group, also known as Nobelium, has been active since 2014 that mainly operates on cyber-espionage campaigns.
The recently identified spear-phishing campaign involves hackers pretending to include important policy updates originating from government embassies’ stolen legitimate email addresses. The campaign also involves the abuse of the popular project management tool Trello and other cloud service platforms for the threat actors’ C2 communication.
Security researchers first detected the campaign last January until March through several waves concerning various email subjects from different email senders. These malicious senders use compromised email addresses of diplomats to deceive their targets, which researchers discovered to be addresses listed as contact points on government embassy sites.
APT29 utilised the HTML smuggling tactic in their phishing campaign to send out an IMG or ISO file to their target.
The attached ISO archive holds a Windows shortcut file (LNK) launching a malicious DLL file once clicked by the target. Most of the time, the victims are tricked into clicking the LNK file because the threat actors masquerade it as a doc file hiding its real extension and a fake icon.
Triggering the DLL file drops the BEATDROP downloader. It will automatically run, inject itself, and connect to Trello for the threat group’s C2 communication. Later on, APT29 shifted from the BEATDROP downloader into a new C++ BEACON loader based on Cobalt Strike with more advanced capabilities, including keylogging, screenshot capturing, credentials stealing, port scanning, enumeration, and proxy server mode.
The loaders will deploy BOOMIC, a shellcode downloader known as VaporRage, detected in May last year. The shellcode downloader will establish persistence through Windows registry modification and will download numerous obfuscated shellcode payloads to run them via memory.
As persistence has been established, the APT29 group escalates privileges within 12 hours via procedures such as writing files comprising Kerberos tickets. Afterwards, extensive network reconnaissance is performed to detect valid pivoting points and collect more sensitive credentials and passwords. The group will move laterally in the final stages by launching more Cobalt Strike beacons and BOOMIC on the end-to-end servers.
APT29 established itself as one of the many notorious cyberespionage groups in the threat landscape. Security experts are determined to track and disrupt APT29’s malicious activities. Yet, the threat group remained to be sophisticated.
