Rewterz Threat Alert – New Cyber Espionage Campaign by Russian APT28 Threat Group Targets 13 Countries – Active IOCs

Severity

High

Analysis Summary

The Russian state-backed threat group called APT28 has been discovered using lures related to the ongoing Palestine-Israel war to deliver a custom backdoor dubbed HeadLace. The adversary is tracked under ITG05 (aka Fancy Bear, BlueDelta, Forest Blizzard, and FROZENLAKE) and is targeting 13 nations worldwide by using authentic documents from finance, academic, and diplomatic centers.

The targeted countries include Türkiye, Hungary, Poland, Australia, Belgium, Germany, Ukraine, Azerbaijan, Kazakhstan, Saudi Arabia, Latvia, Italy, and Romania. Decoys are used in this campaign that are made to especially target European entities that have a direct influence on the allocation of humanitarian aid and leverage documents that are related to the European Parliament, the United Nations, the U.S. Congressional Research Service, an Azerbaijanian-Belarus Intergovernmental Commission, and a Ukrainian think tank.

“ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign,” the researchers said.

Some of the attacks used in this campaign are observed to employ RAR archives that exploit the WinRAR vulnerability tracked as CVE-2023-38831 to distribute HeadLace, which is a backdoor first discovered in attacks aimed at Ukrainian critical infrastructure. A similar campaign dubbed Steal-It was revealed by researchers in late September 2023 that used lures to trick victims into giving sensitive information. The use of official documents as a lure shows a deviation from the activity observed previously, which shows the emphasis ITG05 puts on a specific target audience.

Impact

• Cyber Espionage
• Exposure to Sensitive Information
• Operational Disruption

Indicators of Compromise

MD5

• 4d15972fc2130976621f072d2b1804aa
• 5eab46b8313c057e3cdb731456e3a1ba
• 869bc9804cb5793b131791cc35954092
• 5b407c3bf7101ab2c4cb19915a5c2eee
• 3b43d392c7cd67a5c05c7d011cadae68

SHA-256

• 68bfa69cdbf947eac31e736b2e54244e829e302ea8dafd65edc6e0f879257a53
• 0db8cd7f349afe5a85cd3fd798e2cf4dcb7d2cbbdea3c312f2c7108c4347ada4
• a706778508af9e507d6d4b509276e9b82ce94f8a2ec913cc2deadba5aaa7d538
• ed982645d677c04cb5846251924a12e0e2c9ed16d8fa800a628189faf5009c9f
• 896ca8488c9d8792bd0197646d857e0c2ae0312bbc6d812c12da45016f019264

SHA-1

• ded4a2bcef402c7d6ea98b43f4fec81d8bc27d62
• 17aa787616f9cc10f92b048818fd0ec820f1d041
• d9e4ec32967d30419fdd25036440e49feeba86e6
• afe044eb9bfb6151f7fab5be9554a5859b714720
• 84fc3c51e44b55d7d40b2ae96dc2feed7d4dc73c

URL

• https://mockbin.org/bin/902ca47f-644d-4d44-88ec-060fdb7acaa4
• https://mockbin.org/bin/229f6d51-f534-466f-b642-e86811631083
• https://downloadingdoc.infinityfreeapp.com/filedwn.php
• https://document-c.infinityfreeapp.com/execdwn.php?id=aec02d48-92f3-45a5-a003-051369b51928
• https://downloaddoc.infinityfreeapp.com/execdwn.php?id=488354ce-01ce-4d45-b47a-88701d40c52a
• https://mockbin.org/bin/7cc44695-0c31-4620-bed4-2e60adf0a4b6
• https://mockbin.org/bin/92354a6a-ba1f-4a1a-abea-fba269cabd66
• https://downloaddoc.infinityfreeapp.com/execdwn.php?id=6a98168f-f14f-4014-8b28-8329b0118936

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.