APT29 is a Russian state-sponsored espionage group also referred to by cybersecurity experts as Nobelium APT. The breadth of their attacks corresponds to Russia’s present geopolitical goals. Their latest attacks are characterized by utilizing BEATDROP and BEACON loaders to deploy BOOMMIC (VaporRage) malware.
Security analysts report that the latest phishing campaigns were crafted to target diplomats and different government agencies with the goal of maintaining access within an environment for espionage purposes.
The rules below detect APT29 malicious presence by the following indicators: the threat actors’ lateral movement by deploying it through a scheduled task named SharedRealitySvcDLC; SMB BEACON to multiple systems to facilitate the staging of BEACON on remote systems; detection of SMB BEACON payload via pipe_event logs. The rules developed by our top-tier Threat Bounty developers Nattatorn Chuensangarun, Emir Erdogan, Kaan Yeniyol:
Press View All button to check the full list of detections associated with the APT29, available in the Threat Detection Marketplace repository of the SOC Prime’s platform.
Eager to connect with the industry leaders and develop your own content? Join SOC Prime’s crowdsourced initiative as a content contributor and share your own Sigma and YARA rules with the global cybersecurity community while strengthening collaborative cyber defense worldwide.
The first notion regarding this multifaceted phishing campaign appeared in early 2022. Researchers from Mandiant discovered APT29 sending out spear-phishing emails, mimicking administrative notices from embassies, using legitimate but hacked email addresses originally belonging to diplomatic entities. It’s likely that the usage of legal cloud services like Atlassian’s Trello for command and control is an attempt to make identification and mitigation more difficult for victims.
Next, security analysts detected the deployment of C-written BEATDROP and C++ BEACON downloaders. BEATDROP connects to Trello for C2 communication and operates in memory after establishing and injecting itself into a suspended thread. According to the current data, it is now substituted with a more efficient C++ BEACON that adversaries leverage to enable port scanning, taking screenshots, capturing keystrokes, and data exfiltration.
BEATDROP and BEACON are utilized to plant BOOMIC aka VaporRage to establish persistence in a compromised system.
Join SOC Prime’s Detection as Code platform to gain recurring profits while using the power benefits of collaborative defense best practices. SOC Prime has also released a significant collection of free Sigma rules available in our Detection as Code platform in light of Russia’s invasion of Ukraine and the increased number of state-sponsored cyber-attacks linked back to Russia. The detection content assists cyber defense professionals in spotting attacks launched by Russia-linked high profile APTs, powered by extensive research by the SOC Prime team and Threat Bounty Program developers.