Analysis Summary

A recent operation that used a car up for sale as a phishing lure to deliver the modular Windows backdoor HeadLace has been connected to a threat actor with ties to Russia named APT28.

The campaign, which started as early as March 2024, most certainly targeted ambassadors. The researchers identified APT28—also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422—as the threat actor behind it with a medium to high degree of confidence. It's important to note that a distinct Russian nation-state group known as APT29 used car-for-sale phishing lure themes back in May 2023, suggesting that APT28 is recycling effective strategies for its attacks.

The threat actor was linked to other campaigns earlier in May that used the HeadLace malware and websites that harvested credentials to target networks around Europe. The attacks are distinguished by the use of a legitimate service called webhook[.]site, which, along with Mocky, is a defining feature of APT28's cyber operations. This legitimate service is used to host a malicious HTML page that, after determining whether the target machine is running Windows, provides a ZIP archive for download ("IMG-387470302099.zip").

If the system is not Windows-based, it reroutes to an Audi Q7 Quattro SUV decoy image posted on ImgBB. Three files are included in the archive: a batch script ("zqtxmo.bat"), a DLL ("WindowsCodecs.dll"), and the genuine Windows calculator executable ("IMG-387470302099.jpg.exe"). The malicious DLL, a part of the HeadLace backdoor, is side-loaded using the calculator binary to start the batch script. The batch script then runs a command encoded in Base64 that is intended to download a file from another webhook[.]site URL.

Then, before being executed, this file is renamed to "IMG387470302099.cmd" and saved as "IMG387470302099.jpg" in the users' downloads folder. Finally, it is erased to remove any evidence of malicious activity. Although APT28's infrastructure changes depending on the attack campaign, the group usually uses these open-source services. Moreover, this campaign's strategies align with past reported APT28 activities, and this threat actor alone is the owner of the HeadLace backdoor.

Impact

• Sensitive Data Theft
• Credential Theft
• Command Execution

Indicators of Compromise

MD5

• 849129c405369cb5e61d3f509655db6f
• 479252c7a08cb0b14defa95e2d26c14e
• e3604d4fa956025486bce7da25296cd9
• 15f56bd7b1f78912ef38b36ff3ab8a49

SHA-256

• cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
• dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
• 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
• a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7

SHA1

• 010e1bdb8129ee16bf9803a75038d7a3add28939
• 04dbf45f86d3643b9565c1e54f4b8d6307de3975
• 590c431b7a7b16bd731ab660f611ed54e8dc1bb0
• cdb5e213c55f1c631eb5c58c46a80734dac74ae3

URL

• https://webhook.site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
• https://webhook.site/d290377c-82b5-4765-acb8-454edf6425dd
• https://i.ibb.co/vVSCr2Z/car-for-sale.jpg

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.