APT29, aka Cozy Bear, has been active for quite some time and has impacted a lot of organizations, militaries, think tanks, and defense contractors. Recently, Mandiant uncovered another phishing campaign by the cyberespionage group targeting a diplomatic entity. 

Diving into details

In a series of new campaigns, APT29 is targeting government agencies and diplomats. The phishing emails pretended to contain policy updates and originated from legitimate email addresses belonging to embassies. The campaign lasted from January to March and used several topics and email addresses. 

Tools used

  • The emails were eerily similar to those conducted by the Nobelium group in 2021. 
  • APT29 used ROOTSAW (EnvyScout) to deploy payloads, as well as exploited DropBox and Firebase for C2. 
  • The attackers, furthermore, abused Atlassian’s Trello and other cloud service platforms for C2 communication.  

Malware deployment

  • The emails leveraged the HTML Smuggling technique to deliver an ISO or IMG file to the recipient - a technique commonly used by Cozy Bear. 
  • The file contained an LNK that executed a malicious DLL file.
  • The DLL execution, in turn, deployed the BEATDROP downloader, which was later replaced with a new C++ BEACON loader, featuring high-level functionalities.
  • These capabilities include keylogging, exfiltrating account credentials, taking screenshots, and port scanning, among others. 
  • Both the downloaders deployed BOOMIC to establish persistence.

The bottom line

APT29 is a highly sophisticated gang and Mandiant researchers believe that the ultimate aim of the attackers is to gain long-term persistence and access to victim environments, as well as gather foreign and diplomatic policy information from government entities. Cozy Bear is using a plethora of means to achieve its goals and maintain access to an infected environment.

Cyware Publisher