.webp "Hackers Infect Windows With Backdoor Malware Through Car For Sale Ad")
In a recent cyberattack, the infamous Russian Advanced Persistent Threat (APT) group known as Fighting Ursa has utilized a sophisticated car sales phishing lure to distribute the HeadLace backdoor malware specifically targeting diplomats since March 2024. This strategic move is in line with previous campaigns orchestrated by this group and other Russian threat actors.
The attack was orchestrated by leveraging public and free infrastructure services, exploiting user clicks on malicious content embedded within a seemingly innocuous car advertisement. Hackers took advantage of a legitimate service called Webhook.site, which is commonly used for creating custom URLs for development projects. On March 14th, 2024, a URL linked to a malicious infection chain was flagged on VirusTotal, signaling the malicious intent behind it.
Although the Webhook.site URL itself did not contain any malicious content, upon access, it directed visitors to a malicious HTML page that exploited the platform’s functionality of generating unique URLs to trigger customized actions based on visitor information. This multi-stage attack initially filtered visitors based on their operating system, redirecting non-Windows users to a fake car advertisement hosted on ImgBB.
For Windows users, the HTML code embedded a Base64-encoded ZIP archive data disguised as a legitimate car advertisement download, which aimed to automatically launch the payload using JavaScript. This tactic was designed to deceive users into thinking they were downloading harmless files when, in reality, they were executing malware on their systems.
The downloaded ZIP archive contained a malicious executable file masquerading as a JPG image, named IMG-387470302099.jpg.exe, showing only the .jpg extension to avoid suspicion. Upon execution, the malicious executable proceeded to sideload the WindowsCodecs.dll file, a component of the modular HeadLace backdoor malware, showcasing the attackers’ intent to infiltrate Windows systems discreetly.
According to Unit 42, the DLL’s function in this attack is crucial for comprehending the subsequent actions of the backdoor malware, which leverages a legitimate application to introduce malicious code, likely to evade detection and delay analysis. The staged infection process showcases the attackers’ adept use of legitimate tools for sinister purposes.
The ZIP archive also contained a malicious batch file named zqtxmo.bat, which utilized Microsoft Edge to execute a Base64-encoded iframe content from a Webhook.site URL, ultimately leading to the download of a JPEG file in the user’s directory. The batch file then transferred the downloaded file to a specific directory, modified its extension to .cmd, executed it, and erased all traces of the script to evade detection.
Fighting Ursa’s persistent threat operations, utilizing dynamic infrastructure and diverse lure sets to disseminate the HeadLace malware, underscore the importance for organizations to secure legitimate web services and scrutinize their usage to preemptively detect and mitigate potential attack vectors linked to this threat actor.
As this malicious campaign demonstrates, cybercriminals are increasingly employing sophisticated tactics to deceive users and infiltrate systems. It is imperative for security professionals to remain vigilant, restrict access to vulnerable platforms, and enact robust cybersecurity measures to combat such threats effectively.