Mike Harbison and Peter Renals
18 Jul 2022
The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These campaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures included in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In both cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for additional malicious files in the target network, including a Cobalt Strike payload.
Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with the APT28 cyber espionage group that was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The attackers used online storage services to exfiltrate data and drop their malicious payloads. The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of the second state of malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.