Russias Fighting Ursa APT Uses Car Ads to Install HeadLace Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


Russias Fighting Ursa APT Uses Car Ads to Install HeadLace Malware


The scheme, from the group also known as APT28, involves targeting Eastern European diplomats in need of personal transportation and tempting them with a purported good deal on a Audi Q7 Quattro SUV.



A prolific Russian threat actor known as Fighting Ursa is targeting diplomats through a used-car sale email scheme that then distributes HeadLace backdoor malware.
The gambit involves downloading a .zip file supposedly containing car images of an Audi Q7 Quattro SUV thats been outfitted for diplomatic use; but in fact, the files are executables whose .exe extensions are hidden by default in Microsoft Windows.
The photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center to lend the ad additional credibility.
Fighting Ursa (aka APT28, Fancy Bear, and Sofacy) has adopted the tactic from other Russian threat actors, according to a report on the attack published by Palo Alto Networks Unit 42.
In July 2023, Unit42 reported on the Russian threat actor Cloaked Ursa, which was using a similar lure — that time a used BMW sedan in Kyiv — to
target diplomats working at embassies in Ukraine
.
These lures tend to resonate with diplomats and get targets to click on the malicious content, the blog post
noted
.
The attack chain begins with the use of the legitimate, free service known as webhook to host a malicious HTML page — a tactic that Unit 42 noted is often associated with APT28.
This page then determines if the target machine is running Windows. If it is, a .zip archive is offered for download. If the system is not Windows-based, the user is redirected to a decoy image.
Inside the .zip archive are three files: a Windows calculator executable disguised as an image file, a malicious dynamic link library (DLL), and a batch script.
The calculator executable is used to load the malicious DLL, which then runs the batch script.
The batch script then executes a command to retrieve a file from another webhook site URL, saves it in the downloads folder, renames it for execution, and then deletes it afterward to cover the attack’s tracks. That file contains the HeadLace backdoor, which establishes persistent access to a victims machine in order to set the stage for follow-on data theft, reconnaissance, and surveillance activities.
While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services [like webhook], a Unit 42 post explained. Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor.
Roger Grimes, data-driven defense evangelist at KnowBe4, explains that for nearly as long as Windows has been around, it has automatically hidden the file extension of dozens of commonly used files, such as .exe, .scr, .dll, etc.
This allows an attacker to create a file — for example, carphotos.jpg.exe — that appears to most Windows users as carphotos.jpg, he explains.
For the real file extension not to be hidden, a user must intentionally disable the hide file extensions option in Windows, often having to do so in multiple places.
Why Microsoft continues to allow hiding file extensions to be the default setting for decades is beyond me, as it is responsible for many tens of millions of exploitations, Grimes says. Its far past the time for Microsoft to disable this dangerous default.
Microsoft did not immediately respond to a request for comment.
The hacking group, which most researchers track as
APT28, has a long and infamous history
as the perpetrators of US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and other high-profile cyber offensives.
More recently, it has
targeted Ukrainian government bodies
with spear-phishing emails posing as Windows Update guides to trick recipients into executing malicious PowerShell commands.
And in 2022, it
disseminated a malicious document
exploiting the now-patched CVE-2022-30190 flaw through phishing emails to Ukrainian users. The document, titled “Nuclear Terrorism: A Very Real Threat.rtf,” aimed to exploit concerns about the war in Ukraine escalating into a nuclear disaster.
The threat group has also targeted
Ukraines energy infrastructure
, and recently built GooseEgg, a
custom tool used to exploit CVE-2022-38028
in attacks directed toward Ukraine, Western Europe, and North America.

Last News

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Russias Fighting Ursa APT Uses Car Ads to Install HeadLace Malware