New Malware Toolset Used by Russian Cyberspies to Target NATO and EU Organizations
Polish government officials have issued a warning that a cyberespionage group, believed to be linked to Russia’s intelligence services, is targeting diplomatic and foreign ministries from NATO and EU member states.
The group, known as APT29, Cozy Bear, and NOBELIUM, is believed to be part of Russia’s Foreign Intelligence Service (SVR). This group was responsible for the 2020 supply chain attack against software company SolarWinds, which compromised thousands of organisations worldwide.
The new attack campaign was discovered and investigated by Poland’s Military Counterintelligence Service and the CERT Polska (CERT.PL). The APT29 hackers targeted selected personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European countries inviting them to meetings or to collaborate on documents. The emails had PDF attachments that contained links to supposedly external calendars, meeting details, or work files. The links led to web pages that used JavaScript code to decode a payload and offer it for download.
APT29 has used .ISO files for malware distribution before, but the use of .IMG (disk image) files is a new technique. Both ISO and IMG files are automatically mounted as a virtual disk when opened in Windows, and the user can access the files contained within. In this case, the files were Windows shortcuts (LNK) that launched a legitimate executable, which in turn loaded a malicious DLL.
This technique is known as DLL sideloading and involves attackers delivering an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory. The attackers only have to provide a malicious DLL with the same name to accompany the file.
The first payload of the attack is a custom malware dropper that the Polish researchers dubbed SNOWYAMBER. This is a lightweight program that collects basic information about the computer and contacts a command-and-control server hosted on Notion.so, an online workspace collaboration service. The goal of this dropper is to download and execute additional malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons.
The APT29 espionage campaign is still ongoing and in development. The list of targets in the area of interest for APT29 includes government entities, diplomatic entities, international organisations, and non-governmental organisations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.
The Polish Military Counterintelligence Service and CERT.PL recommend organisations that think they might be a target to implement several defensive measures, including blocking the ability to mount disk images on the file system, monitoring the mounting of disk image files by users with administrator roles, enabling and configuring attack surface reduction rules, configuring software restriction policy, and blocking the possibility of starting executable files from unusual locations.
The Polish government’s advisory also includes indicators of compromise that can be used to build detection for the known malware samples.