Russian Linked APT 29 found targeting NATO & EU Member States

The authorities of Poland warn about a cyberespionage group linked to Russia dubbed as APT29, Cozy Bear, and NOBELIUM is targeting diplomatic and foreign ministries from NATO and EU member states in an ongoing campaign that uses previously undocumented malware payloads.

• The APT29 hackers targeted selected personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European countries inviting them to meetings or to collaborate on documents.
• The emails had PDF attachments that contained links to supposedly external calendars, meeting details or work files.
• The links led to web pages that used JavaScript code to decode a payload and offer it for download.
• This script, which uses a technique called HTML Smuggling, served files with .ISO, .ZIP or .IMG attachments.

APT29 in general uses a .ISO files for malware distribution before, but the use of .IMG (disk image) files is a new technique. Both ISO and IMG files are automatically mounted as a virtual disk when opened in Windows and the user can access the files contained within.

Here, the files were Windows shortcuts (LNK) that launched a legitimate executable, which in turn loaded a malicious DLL known as DLL sideloading and involves attackers delivering an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory. The attackers only must provide a malicious DLL with the same name to accompany the file. By using a legitimate file to load malicious code in memory, attackers hope to evade detection by security tools that might have that file whitelisted.

The first payload of the attack is a custom malware dropper dubbed as SNOWYAMBER. This is a lightweight program that collects basic information about the computer and contacts a C2 server hosted on Notion.so, an online workspace collaboration service. The goal of this dropper is to download and execute additional malware, and in turn its  use to deploy Cobalt Strike and BruteRatel beacons. Both are commercial post-exploitation frameworks intended for penetration testers, but which have found adoption with attackers, too.

SNOWYAMBER is not the only malware dropper used by APT29. In February, the group was seen using another payload they dubbed HALFRIG that was also used to deploy Cobalt Strike. However, instead of downloading it from a C2 server, it decrypted it from shellcode. In March, the hackers were seen using yet another tool dubbed QUARTERRIG that shares part of its codebase with HALFRIG.

The use of multiple droppers in a relatively short time span suggests that the attackers are quickly adapting and replacing tools that are identified by the security community and no longer deliver the same success rate.

The list of targets in interest for APT29 include government entities, diplomatic entities, international organizations, and non-governmental organizations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.

Recommended defensive measures:

• Block the ability to mount disk images on the file system as most users don’t need this functionality.
• Monitor the mounting of disk image files by users with administrator roles.
• Enable and configure attack surface reduction rules.
• Configure software restriction policy.
• Block the possibility of starting executable files from unusual locations (in particular, temporary directories, %localappdata% and subdirectories and external media).
• The Polish government’s advisory also includes indicators of compromise that can be used to build detection for the known malware samples.