Adversaries Use Weaponized PDFs Disguised as German Embassy Lures to Spread Duke Malware Variant in Attacks Against Ministries of Foreign Affairs of NATO-Aligned Countries
- CVE-2024-21111 Detection: A New Critical Local Privilege Escalation Vulnerability in Oracle VirtualBox with the PoC Exploit Released - 26.04.2024
- Forest Blizzard aka Fancy Bear Attack Detection: russian-backed Hackers Apply a Custom GooseEgg Tool to Exploit CVE-2022-38028 in Attacks Against Ukraine, Western Europe, and North America - 24.04.2024
- UAC-0133 (Sandworm) Attack Detection: russia-Linked Hackers Aim to Cripple the Information and Communication Systems of 20 Critical Infrastructure Organizations Across Ukraine - 23.04.2024
Table of contents:
Cybersecurity researchers have observed a new malicious campaign targeting Ministries of Foreign Affairs of NATO-related countries. Adversaries distribute PDF documents used as lures and masquerading the sender as the German embassy. One of the PDF files contains Duke malware attributed to the nefarious russian nation-backed hacking collective tracked as APT29 aka NOBELIUM, Cozy Bear, or The Dukes.
Detect Attacks Applying Weaponized PDFs to Spread Duke Malware Variant via DLL Sideloading
With APT29 being a secretive hacking division of the russian Foreign Intelligence Service (SVR) acting in favor of Moscow’s geopolitical interests, the latest malicious campaign targeting NATO countries might be a part of offensive actions against Ukrainian allies.
By cooperating with CERT-UA and SSSCIP, SOC Prime research, develop, and test Sigma rules on the real battlefield delivering hundreds of pieces of new detection content a month to help thwart destructive russia’s attacks. To assist cyber defenders in identifying the latest APT29 cyber attack, SOC Prime Platform offers a dedicated Sigma rule aimed at detecting attempts to side-load legitimately-named MSO dynamic library in order to perform malicious activity.
Possible MSO Dynamic Library Side-Loading Attempt (via image_load)
The rule is compatible with 20 SIEM, EDR, XDR, and Data Lake technology formats and mapped to MITRE ATT&CK®, addressing Defense Evasion tactics and Hijack Execution Flow (T1574) as a corresponding technique.
To delve into the whole set of detection algorithms addressing APT29 TTPs, hit the Explore Detections button below. For streamlined threat investigation, teams can also drill down to relevant metadata, including ATT&CK and CTI references.
Attack Analysis Using Weaponized PDFs with HTML Smuggling and Spreading Duke Malware
EclecticIQ researchers have observed an ongoing offensive operation against Ministries of Foreign Affairs of NATO countries, in which adversaries take advantage of malicious PDF files with invitation lures impersonating the German embassy. One of the weaponized PDF files contains the Duke malware variant earlier linked with the infamous russia-backed state-sponsored group known as APT29. The group is behind a series of cyber-espionage attacks and is backed by russia’s Foreign Intelligence Service while leveraging a sophisticated adversary toolkit to conduct its offensive operations.
In the ongoing adversary campaign, threat actors apply Zulip servers for C2, enabling them to mingle with legit web traffic and evade detection. Based on the adversary behavior patterns, lure files, the applied malware, and its means of delivery, researchers link the observed malicious campaign with the APT29 activity.
The infection chain is triggered by executing the malicious PDF lure files with embedded JavaScript code aimed to drop payloads in the HTML file format on the compromised devices. Using HTML smudging, attackers deliver an archive with a malicious HTML application file (HTA), which is considered a popular LOLBIN. The latter is intended to drop the Duke malware sample on the impacted systems.
Launching the HTA file leads to spreading three executable files on the specific directory within the compromised system. One of these files is the Duke malware variant executed via DLL sideloading. The malware applies Windows API hashing as an evasion technique, enabling adversaries to bypass static malware scanners.
As potential mitigation measures, defenders recommend configuring proper network protection mechanisms to block suspicious network traffic, applying allow-list policies on Windows hosts to prevent execution of specific LOLBINs that might be exploited by attackers, increasing cybersecurity awareness, and continuously implementing the industry’s best security practices to boost cyber resilience.
Rely on the power of augmented intelligence and collective industry expertise with Uncoder AI to seamlessly create detection algorithms against emerging threats, instantly convert them to 44 SIEM, EDR, XDR & Data Lake formats, and share your code with industry peers to foster active threat-informed defense.
