Russian APT Hackers Used COVID-19 Lures to Goal European Diplomats

Russian APT Hackers Used COVID-19 Lures to Goal European Diplomats

Feb 09, 2022Ravie Lakshmanan

Russian APT Hackers

The Russia-linked menace actor generally known as APT29 focused European diplomatic missions and Ministries of International Affairs as a part of a collection of spear-phishing campaigns mounted in October and November 2021.

In line with ESET’s T3 2021 Risk Report shared with The Hacker Information, the intrusions paved the way in which for the deployment of Cobalt Strike Beacon on compromised methods, adopted by leveraging the foothold to drop extra malware for gathering details about the hosts and different machines in the identical community.

Additionally tracked below the names The Dukes, Cozy Bear, and Nobelium, the superior persistent menace group is an notorious cyber-espionage group that has been energetic for greater than a decade, with its assaults focusing on Europe and the U.S., earlier than it gained widespread consideration for the availability‐chain compromise of SolarWinds, resulting in additional infections in a number of downstream entities, together with U.S. authorities companies in 2020.


The spear-phishing assaults commenced with a COVID-19-themed phishing e mail impersonating the Iranian Ministry of International Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what seems to be an ISO disk picture file (“Covid.iso”).

Ought to the sufferer choose to open or obtain the file, “a small piece of JavaScript decodes the ISO file, which is embedded immediately within the HTML attachment.” The disk picture file, in flip, consists of an HTML utility that is executed utilizing mshta.exe to run a bit of PowerShell code that finally hundreds the Cobalt Strike Beacon onto the contaminated system.

Russian APT Hackers

ESET additionally characterised APT29’s reliance on HTML and ISO disk photographs (or VHDX recordsdata) as an evasion approach orchestrated particularly to evade Mark of the Net (MOTW) protections, a safety characteristic launched by Microsoft to find out the origin of a file.

Read Also:   Privateness replace of iOS 14.5 continues to stir stress for Fb and Instagram

“An ISO disk picture would not propagate the so-called Mark of the Net to the recordsdata contained in the disk picture,” the researchers mentioned. “As such, and even when the ISO have been downloaded from the web, no warning could be exhibited to the sufferer when the HTA is opened.”


Be taught to Cease Ransomware with Actual-Time Safety

Be a part of our webinar and learn to cease ransomware assaults of their tracks with real-time MFA and repair account safety.

Save My Seat!

Upon efficiently gaining preliminary entry, the menace actor delivered quite a lot of off-the-shelf instruments to question the goal’s Lively Listing (AdFind), execute instructions on a distant machine utilizing SMB protocol (Sharp-SMBExec), perform reconnaissance (SharpView), and even an exploit for a Home windows privilege escalation flaw (CVE-2021-36934) to hold out follow-on assaults.

“Current months have proven that The Dukes are a critical menace to western organizations, particularly within the diplomatic sector,” the researchers famous. “They’re very persistent, have good operational safety, they usually know how you can create convincing phishing messages.”

Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we submit.

Supply By

Microsoft fixes information loss inside Bing Webmaster Instruments API Previous post Microsoft fixes information loss inside Bing Webmaster Instruments API
A glimpse inside Intel | MIT Information Next post A glimpse inside Intel | MIT Information