APT29/Nobelium Targets Embassies

Industry: Government | Level: Tactical | Source: Fortinet

Research from FortiGuard has identified threat actor group, APT29/Nobelium/Cozy Bear to be targeting embassies as an observed email impersonating the "Embassy of the Republic of Turkey." Analysis of the email's malicious HTML attachment uncovers a malicious JavaScript, which creates an ISO file requiring the user to execute the ISO file. A shortcut pointing to a malicious DLL file is executed for Cobalt Strike. This tactic is likely conducted to monitor activity in embassies to assist in Russian operations.

• Anvilogic Scenario: Malicious Document Delivering Malware
• Anvilogic Use Cases:
• Rundll32 Command Line
• Suspicious File written to Disk