Russian APT28 Hackers Targeting 13 Nations in Ongoing Cyber Espionage Campaign

Cyber Security Threat Summary:
A new blog post from IBM’s X-Force highlights APT28’s, a group of Russian military hackers, use of Israel-Hamas conflict lures to deliver Headlace malware. For its part, Headlace is a multi-component malware that includes a dropper, a VBS launcher, and a backdoor using MSEdge in headless mode, designed to download second-stage payloads and exfiltrate credentials as well as other sensitive details. Although it is unclear how many entities have been impacted in the latest campaign, organizations in the following countries are primary targets: Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania.

Security Officer Comments:
To lure potential victims, APT 28 is employing documents associated with the United Nations, the Bank of Israel, the United States Congressional Research Service, the European Parliament, a Ukrainian think tank and an Azerbaijan-Belarus Intergovernmental Commission. In attacks observed, researchers note that the actors are exploiting the WinRAR vulnerability (CVE-2023-38831) to open a .RAR archive on the victim’s system which contains the lure documents, while the Headlace malware is executed in the background. Researchers also have observed the delivery of a legitimate Microsoft Calc.exe binary that is susceptible to DLL-hijacking, to deploy the dropper payload on targeted systems.

Suggested Correction(s):
X-Force recommends organizations to:

  • Stay abreast of newly published exploits likely to be used by APT actors.
  • Hunt for regularly spawned processes containing “msedge –headless-new –disable-gpu”.
  • Hunt for headless MS Edge processes downloading .CSS files.
  • Monitor for downloaded archives containing .CMD files.
  • Monitor for DLL hijacking via modified WindowsCodecs.dll files.
  • Monitor for filenames containing an unusually large number of consecutive whitespaces.
  • Monitor network traffic for unusual or unsanctioned commercial service use.
  • Monitor for suspicious use of browsers in headless mode.
  • Install and configure endpoint security software.
  • Update relevant network security monitoring rules.
  • Educate staff on the potential threats to the organization.