The APT29 espionage campaign is ongoing and the Polish military is urging potential targets to mitigate the risk. The Polish government warns that a cyberespionage group linked to Russia’s intelligence services is targeting diplomatic and foreign ministries from NATO and EU member states in an ongoing campaign that uses previously undocumented malware payloads. The group, known in the security industry as APT29, Cozy Bear, and NOBELIUM, is believed to be part of Russia’s Foreign Intelligence Service (SVR) and is the group behind the 2020 supply chain attack against software company SolarWinds that led to the compromise of thousands of organizations worldwide.In the new attack campaign, discovered and investigated by Poland’s Military Counterintelligence Service and the CERT Polska (CERT.PL), the APT29 hackers targeted selected personnel at diplomatic posts with spear phishing emails that masqueraded as messages from the embassies of European countries inviting them to meetings or to collaborate on documents. The emails had PDF attachments that contained links to supposedly external calendars, meeting details or work files. The links led to web pages that used JavaScript code to decode a payload and offer it for download. This script, which uses a technique called HTML Smuggling, served files with .ISO, .ZIP or .IMG attachments.Attack campaign uses DLL sideloadingAPT29 has used .ISO files for malware distribution before, but the use of .IMG (disk image) files is a new technique. Both ISO and IMG files are automatically mounted as a virtual disk when opened in Windows and the user can access the files contained within. In this case, the files were Windows shortcuts (LNK) that launched a legitimate executable, which in turn loaded a malicious DLL. This technique is known as DLL sideloading and involves attackers delivering a an executable file belonging to a legitimate application that is known to load a DLL library with a particular name from the same directory. The attackers only have to provide a malicious DLL with the same name to accompany the file. By using a legitimate file to load malicious code in memory, attackers hope to evade detection by security tools that might have that file whitelisted. The first payload of the attack is a custom malware dropper that the Polish researchers dubbed SNOWYAMBER. This is a lightweight program that collects basic information about the computer and contacts a command-and-control server hosted on Notion.so, an online workspace collaboration service. The goal of this dropper is to download and execute additional malware, and the researchers have seen the APT29 attackers use it to deploy Cobalt Strike and BruteRatel beacons. Both are commercial post-exploitation frameworks intended for penetration testers but which have found adoption with attackers, too.A variant of SNOWYAMBER was detected and reported publicly by Recorder Future in October 2022, but a new variant with additional anti-detection routines was found by the Polish researchers in February 2023. SNOWYAMBER is not the only malware dropper used by APT29. In February, the group was seen using another payload they dubbed HALFRIG that was also used to deploy Cobalt Strike. However, instead of downloading it from a command-and-control server, it decrypted it from shellcode. In March, the hackers were seen using yet another tool dubbed QUARTERRIG that shares part of its codebase with HALFRIG. The use of multiple droppers in a relatively short timespan suggests that the attackers are quickly adapting and replacing tools that are identified by the security community and no longer deliver the same success rate.APT29 espionage campaign is ongoing“At the time of publication of the report, the campaign is still ongoing and in development,” the Polish government said in its advisory. “The aim of publishing the advisory is to disrupt the ongoing espionage campaign, impose additional cost of operations against allied nations and enable the detection, analysis and tracking of the activity by affected parties and the wider cyber security industry.”The list of targets in the area of interest for APT29 include government entities, diplomatic entities (foreign ministries, embassies, diplomatic staff and those working in international entities), international organizations, and non-governmental organizations. While the attacks focused mainly on EU and NATO entities, some targets were also observed in Africa.The Polish Military Counterintelligence Service and CERT.PL recommend organizations that think they might be a target to implement the following defensive measures:Block the ability to mount disk images on the file system as most users don’t need this functionality.Monitor the mounting of disk image files by users with administrator roles.Enable and configure attack surface reduction rules.Configure software restriction policy.Block the possibility of starting executable files from unusual locations (in particular, temporary directories, %localappdata% and subdirectories and external media).The Polish government’s advisory also includes indicators of compromise that can be used to build detection for the known malware samples. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe