Russia-linked APT used a car ad to phish diplomats with Headlace malware.

Home/BOTNET, Compromised, Exploitation, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update/Russia-linked APT used a car ad to phish diplomats with Headlace malware.

Russia-linked APT used a car ad to phish diplomats with Headlace malware.

A Russia-linked threat actor used a car ad to phish diplomats and deliver the HeadLace backdoor, likely starting in March 2024, according to Palo Alto Networks Unit 42. They attribute the campaign to APT28, also known as Fancy Bear and other aliases.

Car-for-sale phishing lures have been used by APT29 since May 2023. APT28 is now repurposing these tactics for its own campaigns.

Earlier this May, APT28 targeted European networks with HeadLace malware and credential-harvesting web pages.

They used webhook[.]site to host a malicious HTML page that checks if the target machine runs Windows. If so, it offers a ZIP archive (“IMG-387470302099.zip”). Non-Windows systems are redirected to an Audi Q7 image on ImgBB.

The ZIP archive contains three files: the legitimate Windows calculator disguised as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).

The calculator binary sideloads a malicious DLL from the HeadLace backdoor, which runs a batch script executing a Base64-encoded command to fetch a file from another webhook[.]site URL. This file is saved as “IMG387470302099.jpg,” renamed to “IMG387470302099.cmd,” executed, and then deleted to hide malicious activity.

“Fighting Ursa frequently uses these freely available services,” Unit 42 said. “These tactics align with previous Fighting Ursa campaigns, and the HeadLace backdoor is unique to this threat actor.”

Indicators of Compromise

HTML page hosted on webhook site with decoy image and payload zip file:

  • cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e

Car for sale image lure:

  • 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb

ZIP file containing calc.exe, malicious DLL and BAT file:

  • dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027

Legitimate calc.exe abused to sideload the malicious DLL:

  • c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

Malicious file named WindowsCodecs.dll sideloaded by calc.exe:

  • 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96

Batch file named zqtxmo.bat executed by the above malicious DLL:

  • a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7

URLs that hosted content for this campaign:

  • hxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
  • hxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd
  • hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg

‍Follow Us on: Twitter, InstagramFacebook to get the latest security news!

Post Views: 232
By | 2024-08-21T22:41:02+05:30 August 5th, 2024|BOTNET, Compromised, Exploitation, Internet Security, malicious cyber actors, Malware, Security Advisory, Security Update|

About the Author:

FirstHackersNews- Identifies Security

Related Posts

Leave A Comment

Subscribe to our newsletter to receive security tips everday!