A Russian-linked threat actor has been linked to a new company that used a car for sale as phishing bait to deliver a Windows modular backdoor called HeadLace.
“The campaign likely targeted diplomats and began as early as March 2024,” Unit 42 Palo Alto Networks. said in a report published today, attributing it with a medium to high level of confidence APT28also called BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy and TA422.
It should be noted that the car for sale phishing themes were attractive previously put into use by another Russian nation-state group called APT29 since July 2023, indicating that APT28 is repurposing successful tactics for its own campaigns.
Earlier this May, the attacker was involved in a series of campaigns targeting networks across Europe with the HeadLace malware and credential harvesting web pages.
Attacks are characterized by the use of a legitimate service known as webhook(.)site – a a hallmark of APT28’s cyber operations along with Mocky – to host a malicious HTML page that first checks if the target machine is running Windows and, if so, offers ZIP archive for download (“IMG-387470302099.zip”).
If the system is not Windows-based, it redirects to a decoy image posted on ImgBB, specifically an Audi Q7 Quattro SUV.
The archive contains three files: a legitimate Windows Calculator executable masquerading as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat” “).
The calculator binary is used to sideload a malicious DLL, a component of the HeadLace backdoor, which is designed to run a batch script that in turn executes a Base64-encoded command to retrieve a file from another webhook(.) URL.
This file is then saved as “IMG387470302099.jpg” in the user’s downloads folder and renamed to “IMG387470302099.cmd” before execution, after which it is deleted to erase any traces of malicious activity.
“While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group often relies on these freely available services,” Unit 42 said. is exclusive to this threat actor.”
