2022-05-11

Mandiant Tracks APT29 Phishing Campaigns

Level: 
Tactical
  |  Source: 
Mandiant
Government
Share:

Mandiant Tracks APT29 Phishing Campaigns

Industry: Diplomatic, Government | Level: Tactical | Source: Mandiant

Mandiant has identified Russian state-sponsored threat group, APT29 as having launched phishing campaigns against verticals in government and diplomacy, since January 17th, 2022. Geographically the targets are located in Europe, the Americas, and Asia. The phishing emails were themed as administrative notices and sent through compromised email accounts. The malicious emails would contain an HTML dropper to write files to disk, either an IMG or ISO. When mounted a LNK and DLL file is presented to the victim, triggering an infection when the LNK file is executed. Various custom malware was utilized by the group during initial access and post-compromise to establish a foothold in the environment such as ROOTSAW, BOOMMIC, and BEATDROP. Techniques observed within the environment include abusing certificates, modifying registry run keys, creating/modifying scheduled tasks, conducting discovery with native commands, and kerberoasting. APT29 has demonstrated the ability to move quickly within the environment as Domain Admin privileges are reached by the group typically within 12 hours.

  • Anvilogic Use Cases:
  • Symbolic OR Hard File Link Created
  • Suspicious Certificate Modification
  • Create/Modify Schtasks
  • New AutoRun Registry Key
  • Registry key added with reg.exe
  • WinRM Tools
  • Common Reconnaissance Commands
  • Locate Credentials

Get trending threats published weekly by the Anvilogic team.

Sign Up Now