The notorious Russian threat actor known as Fighting Ursa has once again made headlines for targeting diplomats through a cleverly orchestrated email scheme involving a used-car sale. This scheme, which distributes the malicious HeadLace backdoor malware, is designed to lure unsuspecting victims into clicking on harmful content disguised as innocuous car photos.
The modus operandi of this cyber attack involves the use of a .zip file purportedly containing images of an Audi Q7 Quattro SUV specially equipped for diplomatic purposes. However, the files inside the archive are actually executable files with hidden .exe extensions, a tactic commonly used to deceive Windows users. To further add credibility to the scam, the photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center.
Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, has adopted this deceptive tactic from other Russian threat actors, as detailed in a report by Palo Alto Networks’ Unit 42. This is not the first time such a tactic has been used, as a similar scheme involving a used BMW sedan in Kyiv was reported back in July 2023, targeting diplomats working at embassies in Ukraine.
The attack chain orchestrated by Fighting Ursa begins with the use of a legitimate service called “webhook” to host a malicious HTML page, a technique often associated with APT28. This page then determines the target machine’s operating system, offering a .zip archive for download if it’s Windows-based. Inside the archive are three files: a disguised Windows calculator executable, a malicious DLL, and a batch script. These components work together to deploy the HeadLace backdoor, granting persistent access to the victim’s machine for subsequent data theft and surveillance activities.
Roger Grimes, a data-driven defense evangelist at KnowBe4, highlights the inherent vulnerability in Windows systems that allows attackers to disguise malicious files by hiding their extensions. Despite the longstanding prevalence of this issue, Microsoft has yet to address it, leaving users susceptible to exploitation.
Fighting Ursa, also known as APT28, has garnered a notorious reputation for engaging in cyber offensives such as US election interference in 2016, NotPetya attacks, Olympic Destroyer efforts, and other high-profile attacks. More recently, the group has targeted Ukrainian government entities through spear-phishing emails posing as Windows Update guides. Additionally, they have exploited vulnerabilities like CVE-2022-30190 and CVE-2022-38028 to infiltrate critical infrastructure and conduct malicious activities in Ukraine, Western Europe, and North America.
In conclusion, the actions of Fighting Ursa underscore the ongoing threat posed by sophisticated cyber threat actors and the importance of proactive cybersecurity measures to safeguard against such malicious activities. It is crucial for individuals and organizations to remain vigilant and stay informed about emerging cyber threats to mitigate the risk of falling victim to cybercrime.