[MART] - Daily Diary #501 - APT29 Campaigns Targeting Diplomatic Entitites

CTAS-MAT ctas-mat at appgate.com
Mon May 2 21:09:07 UTC 2022 

Hello,

I hope everyone is doing well!

Below is the entry for today.

05/02/2022 - Diary entry #501:

APT29 is a Russia-linked threat group that became famous in late 2020, as being responsible for the SolarWinds' supply-chain attack (covered in our Daily Diary #359). APT29 is also tracked as Nobelium (Microsoft), UNC2452 (FireEye), SolarStorm (Unit 42), StellarParticle (Crowdstrike), Dark Halo (Volexity), and Iron Ritual (Secureworks).

Recently, a series of phishing campaigns attributed to APT29 were disclosed targeting multiple diplomatic and government entities. During those campaigns, disguised as "administrative notices related to embassies", new malware downloaders were discovered. The first one, named BEATDROP, is a downloader written in C that uses Atlassian's Trello as its Command & Control. The other one, dubbed BOOMMIC and also known as VaporRage (Microsoft), is a shellcode downloader also written in C that communicates to its C2 via HTTP.

Additional payloads were used as an alternative to BEATDROP, like ROOTSAW (HTML dropper) and a C++ beacon loader based on Cobalt Strike with backdoor capabilities. After compromising its targets, APT29 starts to escalate privileges, perform extensive reconnaissance of hosts, collect credentials, and establish a long-term access point for espionage purposes.

As we expected in our Daily Diary #444, Nobelium's new attacks contain even more advanced threats, as they are forced to renew their arsenal after their malware is publicly disclosed, showing how advanced the techniques used by the attackers are.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220502/7218319a/attachment.htm>

More information about the MART mailing list