Russian-Linked APT28 Caught in Cyber Espionage Against Poland

Poland's computer emergency response team, CERT-PL, warns of a malware campaign orchestrated by APT28 (aka. Fancy Bear, Forest Blizzard, Strontium, Tsar Team), a group linked to Russia's GRU, targeting Polish government institutions. This campaign is initiated from phishing emails designed to lure victims into downloading malicious ZIP archives. These emails link to seemingly benign services like run.mocky[.]io and webhook[.]site to disguise their intent and minimize detection risks. The downloaded ZIP file, disguised as a photo archive, contains a misleading executable (masquerading as a photo but actually a calculator app), a hidden BAT script, and a fake WindowsCodecs.dll file, to enable DLL Side-Loading.

Once executed, the disguised calculator tries to load the fake DLL, which then triggers the BAT script. This script uses the Microsoft Edge browser to download and execute another script, which shows photos of a woman in a swimsuit along with social media links to seem legitimate. This distracts the victim while the script changes the downloaded file's extension from .jpg to .cmd and executes it, establishing a loop that continuously downloads and executes further scripts. The scripts gather critical information such as the computer's IP address and the contents of key directories like Desktop, Downloads, and Documents. They execute commands like chcp 65001 to set the console's character encoding to UTF-8, ensuring that the data collection process captures all characters correctly, especially non-ASCII content. After gathering this data, it sends the compiled information back to the attackers. The script also attempts to terminate any instances of Microsoft Edge to prevent interference before launching a headless browser session to send the data.

CERT-PL's analysis suggests that this campaign is part of a larger pattern of APT28 activities across NATO countries, aimed at undermining security and extracting sensitive information. The use of common web services in the attack chain is a strategic choice to reduce detection and operational costs. CERT-PL recommends organizations to check connections to these services and consider blocking them if not used, alongside enhancing email filtering to prevent similar attacks.