APT29 Adopts Car Sales Persona for Phishing Campaign

Category: Russia & Ukraine | Industry: Government | Source: Unit 42

The Russian threat group APT29, also known as Cloaked Ursa, UAC-0029, Midnight Blizzard/Nobelium, or Cozy Bear, has launched a new phishing campaign with a deceptive strategy that revolves around the sale of BMW vehicles. According to researchers from Unit 42, the campaign has specifically targeted pro-Ukrainian diplomats, with at least 22 embassies in Kyiv being subjected to these phishing attempts to deliver malware. This current round of phishing is found to involve a more personal touch, "focusing on the diplomats themselves more than the countries they represent," said Unit 42.

The campaign is tracked to have started on May 2023 with the distribution of the weaponized car flyers. Unit 42 found approximately 80% of the email addresses targeted in the campaign were public. Leaving the remaining 20% to have likely been gathered or compromised with alternative means. If a diplomat were to click on the car images within the email, a malicious execution flow would commence. Initially, an ISO container file, containing shortcut files, would be downloaded using HTML smuggling. Upon opening the ISO file, a listing of supposed vehicle images in the form of .png files would be presented. However, unknown to the user, the execution flow would proceed to load a malicious DLL through DLL hijacking. This DLL would then inject shell code into a Windows process, ultimately leading to the execution of a decrypted final payload. This payload would subsequently establish a connection to both Dropbox and the Microsoft Graph API, serving as its command and control (C2) for further communication.