A Russia-linked threat actor used a car ad to phish diplomats and deliver the HeadLace backdoor, likely starting in March 2024, according to Palo Alto Networks Unit 42. They attribute the campaign to APT28, also known as Fancy Bear and other aliases.
Car-for-sale phishing lures have been used by APT29 since May 2023. APT28 is now repurposing these tactics for its own campaigns.
Earlier this May, APT28 targeted European networks with HeadLace malware and credential-harvesting web pages.
They used webhook[.]site to host a malicious HTML page that checks if the target machine runs Windows. If so, it offers a ZIP archive (“IMG-387470302099.zip”). Non-Windows systems are redirected to an Audi Q7 image on ImgBB.
The ZIP archive contains three files: the legitimate Windows calculator disguised as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary sideloads a malicious DLL from the HeadLace backdoor, which runs a batch script executing a Base64-encoded command to fetch a file from another webhook[.]site URL. This file is saved as “IMG387470302099.jpg,” renamed to “IMG387470302099.cmd,” executed, and then deleted to hide malicious activity.
“Fighting Ursa frequently uses these freely available services,” Unit 42 said. “These tactics align with previous Fighting Ursa campaigns, and the HeadLace backdoor is unique to this threat actor.”
Indicators of Compromise
HTML page hosted on webhook site with decoy image and payload zip file:
- cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
Car for sale image lure:
- 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb
ZIP file containing calc.exe, malicious DLL and BAT file:
- dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
Legitimate calc.exe abused to sideload the malicious DLL:
- c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
Malicious file named WindowsCodecs.dll sideloaded by calc.exe:
- 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
Batch file named zqtxmo.bat executed by the above malicious DLL:
- a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7
URLs that hosted content for this campaign:
- hxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
- hxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd
- hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment