Fighting Ursa (aka APT28) Attack Detection: Adversaries Target Diplomats Using a Car for Sale as a Phishing Lure to Spread HeadLace Malware

The nefarious russian state-sponsored APT28 hacking collective, also known as Fighting Ursa, is coming into the spotlight. Since early spring 2024, adversaries have been targeting diplomats in a long-term offensive campaign, leveraging a car for sale as a phishing lure to distribute HeadLace malware.

Detect Fighting Ursa aka APT28 Attacks Spreading HeadLace Malware

The continuously evolving adversary infrastructure of the notorious hacking collective Fighting Ursa or APT28 underscores the need for strengthening organizations’ defenses to gain a competitive edge over the group’s increasing cyber attacks. SOC Prime Platform for collective cyber defense curates a collection of detection algorithms to help security teams proactively thwart Fighting Ursa’s attacks, including the latest campaign against diplomats spreading HeadLace malware. 

Explore Detections

Click the Explore Detections button below to reach the curated Sigma rules filtered by the corresponding tag based on the group’s identifier. The provided detection algorithms are enriched with relevant threat intel, mapped to the MITRE ATT&CK® framework, and are ready to instantly convert into the chosen SIEM, EDR, or Data Lake language format from across 30+ supported platforms. 

Security engineers looking for high-quality detection content to retrospectively analyze APT28 TTPs can also follow this link. For more related SOC content, organizations can search SOC Prime’s Threat Detection Marketplace using the “Forest Blizzard” tag based on another group’s identified or follow this link.

Fighting Ursa Attack Analysis

Palo Alto researchers have recently uncovered an ongoing malicious campaign primarily targeting diplomats and attributed to the russia-linked hacking collective tracked as Fighting Ursa (aka APT28, Fancy Bear, Forest Blizzard, STRONTIUM, Pawn Storm, or Sofacy Group). Since at least March 2024, a notorious nation-backed group has been advertising a car for sale as a phishing lure to spread a modular Windows backdoor known as HeadLace, which operates in stages, likely to avoid detection and hinder malware analysis. 

APT28, a GRU-backed group associated with Unit 26165 of russia’s military intelligence agency, has been observed in the cyber threat arena for two decades. Since russia’s full-scale invasion of Ukraine, the hacking gang has also been launching a set of offensive campaigns leveraging the phishing attack vector, primarily targeting Ukrainian state bodies along with the country’s allies. 

Notably, russian hacking groups have employed diplomatic-car-for-sale phishing lure themes for years. These lures often appeal to diplomats, enticing targets to click on the malicious content. In 2023, another russia-backed hacking collective known as APT29 (aka NOBELIUM or CozyBear) has been leveraging a BMW for sale as a phishing lure targeting diplomatic missions in Ukraine. Fighting Ursa is notorious for reusing successful adversary strategies for its own offensive operations, displaying similar behavior patterns in the latest campaign.

The infection chain is triggered by a fake URL hosted by the legitimate Webhook.site service. Fighting Ursa exploited the Webhook.site to create a URL that delivered a malicious HTML page. The weaponized HTML contains several elements designed to automate the attack. Initially, it checks if the visiting computer runs on Windows. In case the system is not Windows-based, it redirects the targeted user to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV. The fraudulent ad is titled “Diplomatic Car For Sale.” Since the final payload targets Windows, this OS check likely ensures that subsequent actions are only executed for Windows users. The HTML then generates a ZIP archive from Base64 text within the HTML, offers it for download, and attempts to open it via JavaScript.

The malicious archive contains a legitimate Windows calculator executable disguised as an image file, a DLL, and a batch script. The calculator executable sideloads the malicious DLL, part of the HeadLace backdoor, which runs the batch script. The latter executes a Base64-encoded command to retrieve a file from another Webhook.site URL, saves it as an image file in the downloads folder, changes the file extension to the .cmd for execution, and then deletes it to remove any traces. 

With its constantly evolving infrastructure, use of diverse lures, and ability to repurpose adversary tactics, Fighting Ursa remains a persistent player in the cyber threat arena. The group’s reliance on legitimate web services for offensive purposes encourages defenders to restrict access to such services and scrutinize their use to reduce the attack surface. Rely on SOC Prime’s Attack Detective to maximize threat visibility and effectively address detection coverage gaps, obtain prioritized SIEM use cases to easily generate low-noise and high-value alerts, and smoothly deliver hunting capability to act faster than attackers.