Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The Russia-linked APT29 group (aka SVR, Cozy Bear, and The Dukes) has been active since at least 2014, along with the APT28 cyber espionage group that was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The attackers used online storage services to exfiltrate data and drop their malicious payloads. The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”
The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of the second state of malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.
The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.
Also Read: Latest Cyber Security News – Hacker News !
Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.
“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report.
Indicators of Compromise
Lure File Samples-PDFs:
ISO File Samples:
EnvyScout Samples-HTML Files:
Compressed Payload Files-Underscore Files:
Decompressed in-memory payload:
Infrastructure linked to samples:
Cobalt Strike C2s:
Cobalt Strike IPs:
Detection & Response:
source="WinEventLog:*" AND (((Image="*\\Acrobat.exe") AND Image="*\\agenda.exe") OR ((FileName="*\\Users\*\\AppData\\Roaming\\*") AND (FileName="*agenda.exe" OR FileName="*vcruntime14.dll" OR FileName="*vctool140.dll")))
SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ((("Image" ilike '%\Acrobat.exe') and "Image" ilike '%\agenda.exe') or (("Filename" ilike '%\Users\%\AppData\Roaming\%') and ("Filename" ilike '%agenda.exe' or "Filename" ilike '%vcruntime14.dll' or "Filename" ilike '%vctool140.dll')))
((process.executable:*\\Acrobat.exe AND process.executable:*\\agenda.exe) OR (file.path:*\\Users\*\\AppData\\Roaming\\* AND file.path:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll)))
((process_name:*\\Acrobat.exe AND process_name:*\\agenda.exe) OR ((process_original_filename:*\\Users\*\\AppData\\Roaming\\* OR process_name:*\\Users\*\\AppData\\Roaming\\*) AND (process_original_filename:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll) OR process_name:(*agenda.exe OR *vcruntime14.dll OR *vctool140.dll))))
((Image.keyword:*\\Acrobat.exe AND Image.keyword:*\\agenda.exe) OR (FileName.keyword:*\\Users\*\\AppData\\Roaming\\* AND FileName.keyword:(*agenda.exe *vcruntime14.dll *vctool140.dll)))
((Image IN "*\\Acrobat.exe" Image="*\\agenda.exe") OR (FileName IN "*\\Users\*\\AppData\\Roaming\\*" FileName IN ["*agenda.exe", "*vcruntime14.dll", "*vctool140.dll"]))
DeviceProcessEvents | where (((FolderPath endswith @"\Acrobat.exe") and FolderPath endswith @"\agenda.exe") or ((FolderPath matches regex @".*\\Users\.*\\AppData\\Roaming\\\.*") and (FolderPath endswith "agenda.exe" or FolderPath endswith "vcruntime14.dll" or FolderPath endswith "vctool140.dll")))
SecurityEvent | where EventID == 1 | where (((NewProcessName endswith @'\Acrobat.exe') and NewProcessName endswith @'\agenda.exe') or ((TargetFilename matches regex '(?i).*\Users\.*\AppData\Roaming\\.*') and (TargetFilename endswith 'agenda.exe' or TargetFilename endswith 'vcruntime14.dll' or TargetFilename endswith 'vctool140.dll')))
(_sourceCategory=*windows* AND ((((Image = "*\Acrobat.exe") AND Image="*\agenda.exe") OR ((("\Users\" AND "\AppData\Roaming\\")) AND ("agenda.exe" OR "vcruntime14.dll" OR "vctool140.dll")))))
(((Image contains '\Acrobat\.exe') && (Image contains 'agenda.exe')) || ((FileName regex '.*\\Users\.*\\AppData\\Roaming\\\.*') && (FileName contains 'agenda\.exe', 'vcruntime14\.dll', 'vctool140\.dll')))
((target.process.file.full_path = /.*\\Acrobat\.exe$/ and target.process.file.full_path = /.*\\agenda\.exe$/) or (target.file.full_path = /.*\\Users\\.*\\AppData\\Roaming.*/ and (target.file.full_path = /.*agenda\.exe$/ or target.file.full_path = /.*vcruntime14\.dll$/ or target.file.full_path = /.*vctool140\.dll$/)))