Short News:-
The FBI says APT29 is responsible for sending phishing emails with a COVID-19 theme posing as the Iranian Ministry of Foreign Affairs. APT29's reliance on HTML and ISO disk images (or VHDX files) is an evasion technique orchestrated specifically to evade Mark of the Web protections, according to researchers at ESET. A disk image file contains a piece of code that loads the Cobalt Strike Beacon onto the infected system. An ISO disk image does not propagate the security feature introduced by Microsoft to determine the origin of a file, researchers say.
Detailed News:-
Due to a series of spear-phishing campaigns launched in October and November 2021 against European diplomatic missions and ministries of foreign affairs, the Russia-linked threat actor known as APT29 was identified.
According to ESET's T3 2021 Threat Report, which was shared with The Hacker News, the intrusions paved the way for the deployment of Cobalt Strike Beacon on compromised systems, which was then used to drop additional malware on the hosts and other machines in the same network.
Known by the code names The Dukes, Cozy Bear, and Nobelium, the advanced persistent threat group has been active for more than a decade, with its attacks primarily targeting Europe and the United States. In 2020, it gained widespread attention for the supply-chain compromise of SolarWinds, which resulted in further infections in several downstream entities, including U.S. government agencies.
The spear-phishing attacks began with a phishing email with a COVID-19 theme, sent by an impersonator posing as the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file ("Covid.iso").
Should the victim choose to open or download the file, "a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment," according to the FBI. The disk image file, in turn, contains an HTML application that is executed using mshta.exe in order to run a piece of PowerShell code that, in turn, loads the Cobalt Strike Beacon onto the infected system.
ESET also characterized APT29's reliance on HTML and ISO disk images (or VHDX files) as an evasion technique orchestrated specifically to evade Mark of the Web (MOTW) protections, a security feature introduced by Microsoft to determine the origin of a file.
"An ISO disk image does not propagate the so-called Mark of the Web to the files contained within the disk image," the researchers concluded. "As a result, and even if the ISO were downloaded from the internet, no warning would be displayed to the victim when the HTA was opened."
After gaining initial access, the threat actor delivered a variety of off-the-shelf tools to query the target's Active Directory (AdFind), execute commands on a remote machine using the SMB protocol (Sharp-SMBExec), conduct reconnaissance (SharpView), and even an exploit for a Windows privilege escalation flaw (CVE-2021-36934) to carry out follow-on attacks.
"Recent months have demonstrated that The Dukes are a serious threat to western organizations, particularly those in the diplomatic sector," the researchers wrote. "They are very persistent, they have excellent operational security, and they know how to create convincing phishing messages."
Post a Comment
Your suggestions and comments are welcome