Russian threat actors are allegedly involved in a campaign that diplomatic targets the foreign affairs ministries of NATO member nations.
Duke Virus
The virus known as Duke, which has been linked to APT29 (also known as BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). It is distributed through phishing assaults using PDF documents with diplomatic lures, some of which are presented as being from Germany.
Zulip Chat App
In a report released last week, Dutch cybersecurity firm EclecticIQ noted that the threat actor used the open-source chat program Zulip for command-and-control in order to elude detection.
The order of the infections is as follows: The PDF document, titled “Farewell to Ambassador of Germany,” has JavaScript code buried in it that starts a multi-stage process to leave a persistent backdoor on infected networks.
In a prior study, Lab52 described an attack that pretended to be the Norwegian embassy and delivered a DLL payload that was able to connect to a remote server to retrieve more payloads. Lab52 also mentioned APT29’s usage of invitation themes.
Using Zulip’s API to remotely takeover the compromised hosts and relay victim information to an actor-controlled chat room (toy.zulipchat[.]com) facilitates Command-And-Control (C2).
Governments and their contractors, political parties, research companies, and vital sectors of the economy in the United States and Europe are APT29’s main targets. But in an intriguing turn of events, an unidentified adversary has been seen using its strategies to compromise Chinese-speaking users with Cobalt Strike.
The change occurs just after the Computer Emergency Response Team of Ukraine (CERT-UA) issued a warning regarding a fresh wave of phishing attempts targeting Ukrainian government institutions. It utilizes Merlin, an open-source post-exploitation toolkit built on the Go programming language.
The war-torn nation has furthermore been subjected to persistent cyberattacks from Sandworm, an elite hacking group connected to Russian military intelligence. Sandworm’s primary objectives were to obstruct crucial activities and gather intelligence for tactical advantage.
Would you like to join cyber security diploma course in Delhi, Noida India? If yes, please visit crytpus cyber security and our cybersecurity expert will try to help. We also provide job oriented summer internship program in Delhi NCR, India.