A Russian threat actor known as Fighting Ursa (also referred to as APT28, Fancy Bear, and Sofacy) has been identified in a new campaign that began in March 2024.
This campaign uses a fake car sale advertisement to distribute the HeadLace backdoor malware, primarily targeting diplomats. The campaign leverages legitimate services such as Webhook.site to host malicious URLs, making detection and mitigation more challenging.
The below decoy image advertises a car for sale, specifically an Audi Q7 Quattro SUV. This fake advertisement is titled “Diplomatic Car For Sale.”
This campaign is attributed to Fightig Ursa with medium to high confidence based on the tactics, techniques, and procedures (TTPs) observed, as well as the use of the HeadLace backdoor, which is exclusive to this threat actor. The group is known for using public and free services to host various stages of their attacks and for repurposing successful tactics.
According to the Unit 42 report, “The image provides different views of the vehicle. The image also contains contact details that are likely fake, as well as a phone number based in Romania. Finally, the image also lists the point of contact as the Southeast European Law Enforcement Center, possibly to lend this fake advertisement more credibility.”
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Download Free Guide
Initial Infection Process
The infection chain starts with a URL hosted on Webhook.site, a legitimate service used for creating randomized URLs for automation purposes. The malicious URL was submitted to VirusTotal on March 14, 2024.
The HTML page hosted on Webhook.site checks if the visiting system is Windows-based and redirects non-Windows systems to a decoy image hosted on ImgBB, another legitimate service.
The HTML page then creates a ZIP archive from Base64 text within the HTML, offers it for download, and attempts to open it using JavaScript. The ZIP file, named IMG-387470302099.zip, contains three files: IMG-387470302099.jpg.exe, WindowsCodecs.dll, and zqtxmo.bat.
The file IMG-387470302099.jpg.exe uses a double extension to disguise itself as an image file. It is a copy of the legitimate Windows calculator application (calc.exe) and is used to sideload the included DLL file, WindowsCodecs.dll, which is part of the HeadLace backdoor.
The DLL file contains a function that executes the batch file zqtxmo.bat, which starts Microsoft Edge to run Base64-encoded content. This content is a hidden iframe that retrieves additional data from another Webhook.site URL. The batch file then saves this content as IMG387470302099.jpg, moves it to the %programdata% directory, renames it to IMG387470302099.cmd, and executes it before deleting itself to cover its tracks.
Fighting Ursa continues to evolve its tactics, leveraging legitimate web services for malicious purposes. Continuous vigilance and updated security measures are essential to defend against such sophisticated threats.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
Indicators of Compromise
HTML page hosted on webhook site with decoy image and payload zip file:
- cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
Car for sale image lure:
- 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb
ZIP file containing calc.exe, malicious DLL and BAT file:
- dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
Legitimate calc.exe abused to sideload the malicious DLL:
- c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
Malicious file named WindowsCodecs.dll sideloaded by calc.exe:
- 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
Batch file named zqtxmo.bat executed by the above malicious DLL:
- a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7
URLs that hosted content for this campaign:
- hxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
- hxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd
- hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg