A Russian-linked risk actor has linked to a new phishing lure car sales crusade to offer a modular Windows tailgate called HeadLace.
“The crusade likely targeted diplomats and began in March 2024,” Palo Alto Networks Unit 42 said in a report released today, attributing medium to high trust to APT28, also called BlueDeltaArray Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy and TA422.
It should be noted that phishing themes for car sales have already been used through another organization in the Russian geographic region called APT29 since July 2023, indicating that APT28 is reusing effective tactics for its own campaigns.
Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.
The attacks are characterized by the use of a valid service called webhook[. ] – a hallmark of APT28’s cyber operations with Mocky – to host a malicious HTML page, which first checks whether the target device is running Windows and, if so, provides a ZIP file for download (“IMG-387470302099. zip”).
If the formula is Windows-based, it redirects to a decoy symbol hosted on ImgBB, in particular an Audi Q7 Quattro SUV.
The file contains 3 registers: the valid Windows calculator executable that masquerades as a symbol register (“IMG-387470302099. jpg. exe”), a DLL (“WindowsCodecs. dll”), and a batch script (“zqtxmo. bat”).
The calculator binary is used to load the malicious DLL, a component of the HeadLace backdoor designed to execute the batch script, which, in turn, executes a Base64-encoded command to retrieve a record of the URL of the website[. ] link.
This log is then stored as “IMG387470302099. jpg” in the users’ downloads folder and renamed to “IMG387470302099. cmd” before execution, after which it is deleted to clear lines of any malicious activity .
“Although the infrastructure used in Fighting Ursa varies according to other attack crusades, the organization relies on those facilities that can be held free of charge,” Unit 42 said. “In addition, the tactics in this crusade align with those documented in the past. “Fighting Ursa’s crusades, and the HeadLace backdoor is unique to this risky actor. “
Protect yourself like a Fortune 500 with a fraction of the resources. Find out why all-in-one answers are a game-changer
Get actionable steps and equipment for the full potential of GenAI while protecting your sensitive data.
Get the latest news, expertise, exclusive resources, and industry leaders for free.