APT28 Targets Diplomats with HeadLace Malware via Car Sale Phishing Lure
A Russia-linked threat actor has been linked to a new campaign that employed a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace.
“The campaign likely targeted diplomats and began as early as March 2024,” Palo Alto Networks Unit 42 said in a report published today, attributing it with medium to high level of confidence to APT28, which is also referred to as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
It’s worth noting that car-for-sale phishing lure themes have been previously put to use by a different Russian nation-state group called APT29 since July 2023, indicating that APT28 is repurposing successful tactics for its own campaigns.
Earlier this May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.
The attacks are characterized by the use of a legitimate service known as webhook[.]site – a hallmark of APT28’s cyber operations along with Mocky – to host a malicious HTML page, which first checks whether the target machine is running on Windows and if so, offers a ZIP archive for download (“IMG-387470302099.zip”).
If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV.
Present within the archive are three files: The legitimate Windows calculator executable that masquerades as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary is used to sideload the malicious DLL, a component of the HeadLace backdoor that’s designed to run the batch script, which, in turn, executes a Base64-encoded command to retrieve a file from another webhook[.]site URL.
This file is then saved as “IMG387470302099.jpg” in the users’ downloads folder and renamed to “IMG387470302099.cmd” prior to execution, after which it’s deleted to erase traces of any malicious activity.
“While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services,” Unit 42 said. “Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor.”