In the world of cybersecurity, the threat landscape is constantly evolving, with threat actors employing new tactics and techniques to infiltrate networks and steal sensitive information. One such threat actor, linked to Russia, has recently been identified in a new campaign that used a car for sale as a phishing lure to deliver a modular Windows backdoor known as HeadLace.
According to a report by Palo Alto Networks Unit 42, the campaign, which likely targeted diplomats, began as early as March 2024. The threat actor behind the campaign has been attributed with medium to high confidence to APT28, also known by various other names such as BlueDelta, Fancy Bear, and Sofacy. This group is known for its sophisticated cyber operations and has been involved in various cyber espionage activities in the past.
Interestingly, the use of a car-for-sale phishing lure is not a new tactic in the realm of cyber espionage. A different Russian nation-state group, APT29, had previously used similar tactics as far back as May 2023. This indicates that APT28 may be repurposing successful tactics from other threat actors for its own campaigns, showcasing the adaptability and resourcefulness of these malicious actors.
In a separate series of campaigns earlier this year, the same threat actor was implicated in targeting networks across Europe with the HeadLace malware and credential-harvesting web pages. These attacks are characterized by the use of a legitimate service called webhook[.]site, along with Mocky, to host malicious HTML pages. The attackers use social engineering techniques to lure victims into downloading a ZIP archive containing malicious files disguised as legitimate images.
The archive includes three files: a legitimate Windows calculator executable masquerading as an image file, a DLL, and a batch script. The calculator binary is used to sideload the malicious DLL, which is a component of the HeadLace backdoor. The batch script then executes a Base64-encoded command to retrieve a file from another webhook[.]site URL, which is saved on the victim’s machine and executed before being deleted to cover their tracks.
Unit 42 notes that while the infrastructure used by APT28 may vary for different attack campaigns, the group frequently relies on freely available services to host their malicious payloads. The tactics employed in this campaign align with previously documented APT28 campaigns, and the HeadLace backdoor is exclusive to this threat actor, further solidifying the attribution.
Overall, this latest campaign highlights the ongoing threat posed by sophisticated threat actors like APT28, who continue to evolve their tactics to evade detection and compromise sensitive networks. It serves as a reminder of the importance of robust cybersecurity measures and vigilance in defending against such malicious activities in today’s digital landscape.