In a recent discovery by SEQRITE Labs, the unveiling of a highly advanced cyber-espionage campaign known as Operation HollowQuill has sent shockwaves through the cybersecurity world. This operation has set its sights on academic, governmental, and defense-related networks in Russia, utilizing weaponized decoy PDFs as a vehicle to deliver Cobalt Strike malware implants.
The primary target of this insidious campaign appears to be critical institutions such as the Baltic State Technical University (BSTU “VOENMEKH”), a significant contributor to Russia’s military-industrial complex. By infiltrating these key establishments, the threat actors behind Operation HollowQuill are seeking to gain access to sensitive information and compromise vital systems.
The technical exploitation chain of this operation starts with a malicious RAR archive containing a .NET-based malware dropper disguised as official research invitations from the Ministry of Science and Higher Education of Russia. This archive includes various components, including a legitimate OneDrive executable, a Golang-based shellcode loader, and a decoy PDF document designed to lure in the target entities.
Once executed, the .NET dropper deploys the shellcode loader, injecting malicious code into the OneDrive process, and presenting the decoy PDF to mask its activities. The shellcode loader utilizes advanced techniques like APC injection to execute the payload stealthily in memory, evading detection.
The decoy PDF used in this operation mimics official communication regarding state-assigned research projects for the upcoming budget cycle, providing detailed guidelines for proposal submissions within Russia’s Unified State Information System for Scientific Research and Technological Projects. The document, signed by high-ranking officials, enhances credibility and increases the chances of user engagement.
The final step in this operation involves deploying a Cobalt Strike beacon, a commonly used penetration testing tool that has been repurposed for malicious intent. The beacon connects to a command-and-control (C2) server hosted on domains like phpsymfony[.]com, using HTTP GET requests with encoded data to communicate covertly with the attacker infrastructure.
Further analysis of the campaign’s infrastructure has revealed operational security oversights by the attackers, such as exposed Go build IDs and rotating C2 domains across multiple ASN services globally. These identifiers have allowed researchers to track similar payloads and malicious binaries distributed through other campaigns.
Operation HollowQuill sheds light on the concerning trend of cyber warfare targeting critical research and defense networks through sophisticated phishing tactics and advanced malware delivery mechanisms. By exploiting legitimate applications like OneDrive and employing in-memory execution techniques, the attackers demonstrate a high level of technical expertise aimed at bypassing detection while compromising crucial systems.
This campaign serves as a stark reminder of the pressing need for robust cybersecurity measures across government and military sectors to mitigate the risks posed by increasingly sophisticated threat actors. As cyber threats continue to evolve and become more complex, organizations must remain vigilant and proactive in defending against such attacks to safeguard their valuable assets and critical infrastructure.