The Polish government warns that a cyberespionage group linked to Russia's intelligence services is targeting diplomatic and foreign ministries from NATO and EU member states in an ongoing campaign that uses previously undocumented malware payloads.
The group, known in the security industry as APT29, Cozy Bear, and NOBELIUM, is believed to be part of Russia's Foreign Intelligence Service (SVR) and is the group behind the 2020 supply chain attack against software company SolarWinds that led to the compromise of thousands of organisations worldwide.
Attack campaign uses DLL sideloading
APT29 has used .ISO files for malware distribution before, but the use of .IMG (disk image) files is a new technique. Both ISO and IMG files are automatically mounted as a virtual disk when opened in Windows and the user can access the files contained within.
In this case, the files were Windows shortcuts (LNK) that launched a legitimate executable, which in turn loaded a malicious DLL.
This technique is known as DLL sideloading and involves attackers delivering a an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory.
The attackers only have to provide a malicious DLL with the same name to accompany the file. By using a legitimate file to load malicious code in memory, attackers hope to evade detection by security tools that might have that file whitelisted.
The first payload of the attack is a custom malware dropper that the Polish researchers dubbed SNOWYAMBER.
This is a lightweight program that collects basic information about the computer and contacts a command-and-control server hosted on Notion.so, an online workspace collaboration service.
The goal of this dropper is to download and execute additional malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons.
Both are commercial post-exploitation frameworks intended for penetration testers but which have found adoption with attackers, too.
A variant of SNOWYAMBER was detected and reported publicly by Recorder Future in October 2022, but a new variant with additional anti-detection routines was found by the Polish researchers in February 2023.
SNOWYAMBER is not the only malware dropper used by APT29. In February, the group was seen using another payload they dubbed HALFRIG that was also used to deploy Cobalt Strike.
However, instead of downloading it from a command-and-control server, it decrypted it from shellcode. In March, the hackers were seen using yet another tool dubbed QUARTERRIG that shares part of its codebase with HALFRIG.
The use of multiple droppers in a relatively short timespan suggests that the attackers are quickly adapting and replacing tools that are identified by the security community and no longer deliver the same success rate.
APT29 espionage campaign is ongoing
"At the time of publication of the report, the campaign is still ongoing and in development," the Polish government said in its advisory.
"The aim of publishing the advisory is to disrupt the ongoing espionage campaign, impose additional cost of operations against allied nations and enable the detection, analysis and tracking of the activity by affected parties and the wider cyber security industry."
The list of targets in the area of interest for APT29 include government entities, diplomatic entities (foreign ministries, embassies, diplomatic staff and those working in international entities), international organisations, and non-governmental organisations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.
The Polish Military Counterintelligence Service and CERT.PL recommend organisations that think they might be a target to implement the following defensive measures:
- Block the ability to mount disk images on the file system as most users don't need this functionality.
- Monitor the mounting of disk image files by users with administrator roles.
- Enable and configure attack surface reduction rules.
- Configure software restriction policy.
- Block the possibility of starting executable files from unusual locations (in particular, temporary directories, %localappdata% and subdirectories and external media).
The Polish government's advisory also includes indicators of compromise that can be used to build detection for the known malware samples.