Brother
Professional
- Messages
- 2,590
- Reaction score
- 533
- Points
- 113
Humanitarian aid from Europe paved the way for intelligence gathering.
The hacker group APT28 uses information decoys related to the conflict between Israel and Hamas to spread a customized HeadLace backdoor in order to obtain intelligence information. This is reported by IBM X-Force specialists who monitor the group's actions.
The new campaign targets targets in at least 12 countries, including Hungary, Turkey, Australia, Poland, Belgium, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. During the attacks, the attackers use forged documents aimed primarily at European organizations that influence the distribution of humanitarian aid. Among the baits are documents related to the UN, the Bank of Israel, the US Congress Public Policy Research Institute, the European Parliament, and think tanks.
Some attacks use RAR archives that exploit the CVE-2023-38831 (CVSS: 7.8) vulnerability in WinRAR to spread the HeadLace backdoor. The error allows a cybercriminal to execute arbitrary code when a user tries to view a secure file in the archive. If the victim has a vulnerable WinRAR application installed and opens the archive, the decoy document is displayed, while the Headlace dropper runs in the background.
In other cases, the infection uses the DLL Hijacking method, which delivers a legitimate Microsoft binary file to the target device Calc.exe, which is subject to DLL substitution. When the victim clicks on Calc.exe, a malicious DLL library is loaded, which is packaged together with Calc in a malicious archive. At this point, the DLL starts Headlace. To trick the victim into running the executable file, Calc.exe it is renamed and contains spaces before the extension, which may prevent the user from detecting the .EXE extension.
Another variant of Headlace is disguised as a Windows update. When you run a script, immediately after delivery and launch of its malicious components, Headlace displays fake update status messages at certain intervals.
It is noted that after establishing control over the system, APT28 uses additional methods to intercept data from NTLM or SMB hashes, and also seeks to penetrate the network through TOR.
X-Force claims with high confidence that the group will continue to attack diplomatic and academic centers in order to gain information about new political decisions. APT28 can adapt to changing cyber threat capabilities by using publicly available CVEs and using commercially available infrastructure.
The hacker group APT28 uses information decoys related to the conflict between Israel and Hamas to spread a customized HeadLace backdoor in order to obtain intelligence information. This is reported by IBM X-Force specialists who monitor the group's actions.
The new campaign targets targets in at least 12 countries, including Hungary, Turkey, Australia, Poland, Belgium, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. During the attacks, the attackers use forged documents aimed primarily at European organizations that influence the distribution of humanitarian aid. Among the baits are documents related to the UN, the Bank of Israel, the US Congress Public Policy Research Institute, the European Parliament, and think tanks.
Some attacks use RAR archives that exploit the CVE-2023-38831 (CVSS: 7.8) vulnerability in WinRAR to spread the HeadLace backdoor. The error allows a cybercriminal to execute arbitrary code when a user tries to view a secure file in the archive. If the victim has a vulnerable WinRAR application installed and opens the archive, the decoy document is displayed, while the Headlace dropper runs in the background.
In other cases, the infection uses the DLL Hijacking method, which delivers a legitimate Microsoft binary file to the target device Calc.exe, which is subject to DLL substitution. When the victim clicks on Calc.exe, a malicious DLL library is loaded, which is packaged together with Calc in a malicious archive. At this point, the DLL starts Headlace. To trick the victim into running the executable file, Calc.exe it is renamed and contains spaces before the extension, which may prevent the user from detecting the .EXE extension.
Another variant of Headlace is disguised as a Windows update. When you run a script, immediately after delivery and launch of its malicious components, Headlace displays fake update status messages at certain intervals.
It is noted that after establishing control over the system, APT28 uses additional methods to intercept data from NTLM or SMB hashes, and also seeks to penetrate the network through TOR.
X-Force claims with high confidence that the group will continue to attack diplomatic and academic centers in order to gain information about new political decisions. APT28 can adapt to changing cyber threat capabilities by using publicly available CVEs and using commercially available infrastructure.
