Russian Hackers Used COVID-19 Lures to Target European Diplomats
Reading Time: 2 minutes

Russian hackers, APT29 used Covid-19 lures to target European diplomatic Missions and Ministries of Foreign Affairs as part of their spear-phishing campaigns launched in October and November 2021.

ESET’s in a report said the intrusions helped them to deploy Cobalt Strike Beacon on compromised systems. This enabled them to further leverage their attacks by dropping additional malware for gathering information about the hosts and other machines in the same network.

The threat group also tracked under various names like The Dukes, Cozy Bear, and Nobelium is an infamous cyber-espionage group that’s been active for over a decade, attacking targets in Europe and the U.S. The Solar Winds cyber attack brought the group into the limelight, and further launched infections in several downstream entities, including U.S. government agencies in 2022.

The latest campaign included Covid 19 themed phishing emails, impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment. Victims on opening it are prompted to open or save what appears to be an ISO disk image file (“Covid.iso”).

Once the victims open or download the file, a small JavaScript decodes the ISO file which is embedded into the HTML attachment directly. While the HTML application included in the disk image file is executed using mshta.exe to run a piece of PowerShell code. It finally loads the Cobalt Strike Beacon onto the infected system.

According to ESET researchers, the hackers rely on HTML and ISO disk images (or VHDX files) as an evasion technique. It’s nicely orchestrated specifically to evade Mark of the Web (MOTW) protections, a security feature introduced by Microsoft to determine the origin of a file.

ESET said, “An ISO disk image doesn’t propagate the so-called Mark of the Web to the files inside the disk image,” the researchers said. “As such, and even if the ISO were downloaded from the internet, no warning would be dis-played to the victim when the HTA is opened.”

After gaining initial access the threat actors are able to deliver a number of off the shelf tools that query the target’s Active Directory (AdFind), execute commands on a remote machine using SMB protocol (Sharp-SMBExec), carry out reconnaissance (SharpView), and even an exploit for a Windows privilege escalation flaw (CVE-2021-36934) to carry out follow-on attacks.

ESET further added, “Recent months have shown that The Dukes are a serious threat to western organizations, especially in the diplomatic sector,” the researchers noted. “They are very persistent, have good operational security, and they know how to create convincing phishing messages.”

Related Articles:
NimbleMamba – Molerats Hackers deploy New Malware
New York Couple Arrested For Allegedly Conspiring to Launder Billions in Stolen Cryptocurrency
PrivateLoader – Pay Per Install Service offered by Malware Families to Expand their Targets