Allegedly, the Russian group APT29 attacked the information exchange systems of the European Union
Experts link the attack to recent geopolitical events.
Usually associated with Russia, the hacker group APT29 (also known as SVR, Cozy Bear, Nobelium and The Dukes) has recently been seen abusing legitimate information exchange systems used by European countries.
In early March, BlackBerry researchers discovered a new cyber-espionage campaign targeting EU countries. The attackers targeted diplomatic institutions and systems transmitting sensitive information about the region’s politics.
The attack chain starts with a phishing email containing a decoy document, which in turn contains a link leading to a malicious HTML file download.
The APT29 group also used several legitimate systems for its own purposes, including LegisWrite and eTrustEx, which are used by EU countries to securely exchange information and data.
LegisWrite is an editing program used by government officials in the European Union. This means that cybercriminals used it as a malicious bait to gain access to EU government organizations.
The malicious HTML file used in the attack is a variation of the NOBELIUM dropper tracked as ROOTSAW (aka EnvyScout). EnvyScout uses an HTML smuggling technique to deliver malicious “.img” or “.iso” files to the victim’s system.
To keep the malware persistent in the system, a new registry key is created: “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\DsDiBacks”. The BugSplatRc64.dll file allows cyberspyware to collect and exfiltrate information about an infected system. And for covert communication with the C2 server, the attackers used the API of the popular note-taking application Notion.
“APT29 is now actively collecting intelligence on countries that support Ukraine. The coincidence of the visit of the Polish ambassador to the United States with the spread of the bait used in the attacks indicates that hackers are closely monitoring geopolitical events and using them to increase the likelihood of successful infection, ”the BlackBerry report concludes.