Feb 09, 2022Ravie Lakshmanan

The Russia-linked menace actor generally known as APT29 focused European diplomatic missions and Ministries of International Affairs as a part of a collection of spear-phishing campaigns mounted in October and November 2021.

In line with ESET’s T3 2021 Risk Report shared with The Hacker Information, the intrusions paved the way in which for the deployment of Cobalt Strike Beacon on compromised methods, adopted by leveraging the foothold to drop extra malware for gathering details about the hosts and different machines in the identical community.

Additionally tracked below the names The Dukes, Cozy Bear, and Nobelium, the superior persistent menace group is an notorious cyber-espionage group that has been energetic for greater than a decade, with its assaults focusing on Europe and the U.S., earlier than it gained widespread consideration for the availability‐chain compromise of SolarWinds, resulting in additional infections in a number of downstream entities, together with U.S. authorities companies in 2020.

The spear-phishing assaults commenced with a COVID-19-themed phishing e mail impersonating the Iranian Ministry of International Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what seems to be an ISO disk picture file (“Covid.iso”).

Ought to the sufferer choose to open or obtain the file, “a small piece of JavaScript decodes the ISO file, which is embedded immediately within the HTML attachment.” The disk picture file, in flip, consists of an HTML utility that is executed utilizing mshta.exe to run a bit of PowerShell code that finally hundreds the Cobalt Strike Beacon onto the contaminated system.

ESET additionally characterised APT29’s reliance on HTML and ISO disk photographs (or VHDX recordsdata) as an evasion approach orchestrated particularly to evade Mark of the Net (MOTW) protections, a safety characteristic launched by Microsoft to find out the origin of a file.

“An ISO disk picture would not propagate the so-called Mark of the Net to the recordsdata contained in the disk picture,” the researchers mentioned. “As such, and even when the ISO have been downloaded from the web, no warning could be exhibited to the sufferer when the HTA is opened.”

Upon efficiently gaining preliminary entry, the menace actor delivered quite a lot of off-the-shelf instruments to question the goal’s Lively Listing (AdFind), execute instructions on a distant machine utilizing SMB protocol (Sharp-SMBExec), perform reconnaissance (SharpView), and even an exploit for a Home windows privilege escalation flaw (CVE-2021-36934) to hold out follow-on assaults.

“Current months have proven that The Dukes are a critical menace to western organizations, particularly within the diplomatic sector,” the researchers famous. “They’re very persistent, have good operational safety, they usually know how you can create convincing phishing messages.”