Recently, Cluster25, a threat intelligence firm, uncovered a spear-phishing campaign dubbed “The Bear and the Shell,” specifically targeting entities critical of the Russian government and aligned with dissident movements.
The campaign leverages social engineering tactics, employing seemingly legitimate lures to deceive victims.
One example involves a NASA-themed email containing a ZIP file disguised as a job offer. Upon opening, the file unleashes a multiplatform reverse shell named HTTP-Shell, granting attackers remote access to the victim’s system.
This shell, while open-source, can be manipulated for malicious purposes, enabling file transfers, directory navigation, and establishing connections to a command and control (C&C) server.
In this case, the C&C server masqueraded as a PDF editing site to further evade detection.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Beyond NASA: A Broader Web of Deception
The investigation revealed more than just a single attack. Cluster 25 discovered additional campaigns with striking similarities.
They all utilized the same kill chain, employed identical shortcut icons, and shared some lure themes. This evidence suggests a coordinated effort targeting various individuals and organizations.
The campaign expanded its reach beyond a NASA-themed lure, incorporating diverse themes to ensnare different targets.
One tactic involved a USAID-themed attack, exploiting the reputation of the United States Agency for International Development.
Another targeted Bellingcat, a Netherlands-based investigative journalism group, highlighting the campaign’s global reach.
Additionally, articles from independent Russian media outlets like The Bell and Verstka were used as lures, demonstrating the attackers’ attempt to infiltrate the very communities critical of the Russian government.
Attribution: Pointing the Finger at the Bear
While definitive attribution remains elusive, evidence points towards a Russian state-sponsored threat actor.
The campaign’s targets, coupled with the use of infrastructure linked to previous Sliver beacon activity, suggest a connection to actors operating on behalf of the Russian government.
This raises concerns about targeted cyberattacks aimed at suppressing dissent and silencing critical voices.