Polish Government Targeted by Russian-Linked APT28 in Sophisticated Malware Campaign
Charles M. Walls | May 9, 2024 | Views: 107
Poland's government agencies have been hit by a sophisticated malware attack linked to the Russian cyber group APT28, according to a report by CERT Polska. The attackers cleverly used phishing emails designed to pique recipients' curiosity and tempt them into clicking a malicious link.
Victims who clicked the link were redirected to run.mocky[.]io, a domain that further redirected them to another site called webhook[.]site. This free service, which allows developers to check webhook-sent data, was misused to avoid detection by security systems.
The malware operation involved downloading a ZIP file from webhook[.]site containing a deceptive Windows Calculator executable, disguised as an image file ("IMG-238279780.jpg.exe"), along with hidden batch script and DLL files ("WindowsCodecs.dll"). If executed, the malicious DLL triggers a side-loading technique to run the batch script. Meanwhile, a web browser shows images of a woman in a swimsuit, along with links to her real social media profiles, as a distraction.
The batch script proceeds to download and rename a JPG image from webhook[.]site to a CMD script ("IMG-238279780.cmd"), which then executes and retrieves the final payload. This payload gathers details from the infected host and sends them back to the attackers. CERT Polska highlighted that this attack pattern is reminiscent of an earlier campaign that spread the HeadLace backdoor.
APT28's consistent use of legitimate services like Mocky and webhook[.]site to circumvent security measures has been noted. CERT Polska suggests organizations not using these services should consider blocking the related domains. They also recommend email filtering for links to webhook.site and run.mocky.io, as their legitimate use in emails is quite rare.
This incident follows NATO's accusations against the Kremlin-supported APT28 for a long-term cyber espionage campaign against political bodies, state institutions, and critical infrastructure in various nations. The group has also expanded its malicious activities to iOS devices, deploying the XAgent spyware, which can remotely control devices and exfiltrate data like contact information, messages, device details, apps, screenshots, and call records. Symantec, owned by Broadcom, states that this data could be leveraged in social engineering or spear-phishing efforts.
Additionally, there has been a rise in financially motivated attacks by Russian cybercrime groups like UAC-0006 against Ukraine, while entities in Russia and Belarus have faced attacks from a nation-state actor known as Midge, which deploys malware to steal sensitive information.
