Novel BEATDROP and BOOMMIC Malware Families Used by APT29: Phishing Campaigns with HTML Smuggling Techniques, Long-Term Access for Espionage Purposes
Table of contents:
APT29 is a Russian state-sponsored espionage group also referred to by cybersecurity experts as Nobelium APT. The breadth of their attacks corresponds to Russia’s present geopolitical goals. Their latest attacks are characterized by utilizing BEATDROP and BEACON loaders to deploy BOOMMIC (VaporRage) malware.
Security analysts report that the latest phishing campaigns were crafted to target diplomats and different government agencies with the goal of maintaining access within an environment for espionage purposes.
Detect APT29 Activity: Novel BEATDROP and BOOMMIC Malware
The rules below detect APT29 malicious presence by the following indicators: the threat actors’ lateral movement by deploying it through a scheduled task named SharedRealitySvcDLC; SMB BEACON to multiple systems to facilitate the staging of BEACON on remote systems; detection of SMB BEACON payload via pipe_event logs. The rules developed by our top-tier Threat Bounty developers Nattatorn Chuensangarun, Emir Erdogan, Kaan Yeniyol:
Possible APT29 Group Lateral Movement with SMB BEACON Staging (process_creation)
Possible APT29 Lateral Movement by Use of BEACON Scheduled Task (via cmdline)
Suspicious APT29 Lateral Movement by Use of SMB Beacon (via pipe_event)
Suspicious SMB Beacon (APT29) (April 2022) Persistence by Creating Scheduled Task (via security)
APT 29 Phishing Campaigns downloads BEATDROP and BOOMMIC malwares (via process_creation)
Press View All button to check the full list of detections associated with the APT29, available in the Threat Detection Marketplace repository of the SOC Prime’s platform.
Eager to connect with the industry leaders and develop your own content? Join SOC Prime’s crowdsourced initiative as a content contributor and share your own Sigma and YARA rules with the global cybersecurity community while strengthening collaborative cyber defense worldwide.
View Detections Join Threat Bounty
APT29 Phishing Campaign Details
The first notion regarding this multifaceted phishing campaign appeared in early 2022. Researchers from Mandiant discovered APT29 sending out spear-phishing emails, mimicking administrative notices from embassies, using legitimate but hacked email addresses originally belonging to diplomatic entities. It’s likely that the usage of legal cloud services like Atlassian’s Trello for command and control is an attempt to make identification and mitigation more difficult for victims.
In this phishing campaign, attackers used HTML smuggling, which is a phishing method that uses HTML5 and JavaScript to encrypt strings in an HTML attachment or webpage to hide harmful payloads. When a user opens an attachment or clicks a link, the browser decodes these strings. APT29 actors used it to deliver IMG and ISO files – this is their time-tested method that has proved its efficiency in notorious SolarWinds supply-chain attacks.
Next, security analysts detected the deployment of C-written BEATDROP and C++ BEACON downloaders. BEATDROP connects to Trello for C2 communication and operates in memory after establishing and injecting itself into a suspended thread. According to the current data, it is now substituted with a more efficient C++ BEACON that adversaries leverage to enable port scanning, taking screenshots, capturing keystrokes, and data exfiltration.
BEATDROP and BEACON are utilized to plant BOOMIC aka VaporRage to establish persistence in a compromised system.
Join SOC Prime’s Detection as Code platform to gain recurring profits while using the power benefits of collaborative defense best practices. SOC Prime has also released a significant collection of free Sigma rules available in our Detection as Code platform in light of Russia’s invasion of Ukraine and the increased number of state-sponsored cyber-attacks linked back to Russia. The detection content assists cyber defense professionals in spotting attacks launched by Russia-linked high profile APTs, powered by extensive research by the SOC Prime team and Threat Bounty Program developers.