APT29 has been using a malicious ZIP archive that runs a script in the background to show a PDF lure and to download PowerShell code that downloads and executes a payload.

In this report, we unveil a sophisticated cyberattack orchestrated by APT29, an
advanced persistent threat group linked to Russia's Foreign Intelligence Service (SVR).

- National Security and Defense Council of

(report PDF file)

share.counter.social/s/db7c12

ZIP “DIPLOMATIC-CAR-FOR-SALE-BMW.pdf” that runs the script

The vulnerability has been exploited as a zero-day since April by threat actors targeting cryptocurrency and stock trading forums.

bleepingcomputer.com/news/secu

APT29 has used the BMW car ad phishing lure before to target diplomats in Ukraine during a campaign in May that delivered ISO payloads through the HTML smuggling technique.

bleepingcomputer.com/news/secu

In these attacks, the Ukrainian NDSC says that APT29 combined the old phishing tactic with a novel technique to enable communication with the malicious server.

NDSC says that the Russian hackers used a Ngrok free static domain (a new feature Ngrok announced on August 16) to access the command and control (C2) server hosted on their Ngrok instance.

ngrok.com/blog-post/free-stati

By using this method, the attackers managed to hide their activity and communicate with compromised systems without being the risk of being detected

A report from Google in October notes that the security issue was exploited by Russian and Chinese state hackers to steal credentials and other sensitive data, as well as to establish persistence on target systems.

blog.google/threat-analysis-gr

Follow

The Ukrainian NDSC says that the observed campaign from APT29 stands out because it mixes old and new techniques

The report from the Ukrainian agency provides a set of indicators of compromise (IoCs) consisting of filenames and corresponding hashes for PowerShell scripts and an email file, along with domains and email addresses.

Sign in to participate in the conversation

CounterSocial is the first Social Network Platform to take a zero-tolerance stance to hostile nations, bot accounts and trolls who are weaponizing OUR social media platforms and freedoms to engage in influence operations against us. And we're here to counter it.