In an alarming series of spear-phishing attacks between October and November 2021, the Russia-linked advanced persistent threat group APT29 targeted European diplomatic missions and Ministries of Foreign Affairs. This activity showcases a troubling trend of cyberespionage aimed at sensitive political partners.
ESET’s T3 2021 Threat Report, provided to The Hacker News, reveals that the intrusions facilitated the deployment of Cobalt Strike Beacon on compromised devices. This foothold was subsequently exploited to introduce additional malware, enabling the collection of crucial information on the targeted systems and their associated networks.
APT29, also known as The Dukes, Cozy Bear, and Nobelium, is a notorious cyber-espionage entity that has been operational for over a decade. Its focus has historically been on attacks in Europe and the United States. The group gained significant notoriety following its involvement in the supply chain compromise of SolarWinds in 2020, which subsequently affected numerous downstream organizations, including U.S. government agencies.
The spear-phishing operations began with a COVID-19-themed email disguised as communication from the Iranian Ministry of Foreign Affairs, including an HTML attachment. This attachment prompted recipients to open or save a file labeled “Covid.iso.” When executed, this ISO file revealed embedded malicious JavaScript code hidden within the HTML attachment.
Victims who chose to engage with the file unwittingly triggered a sequence where a disk image, containing an HTML application, was executed using mshta.exe. This led to the execution of PowerShell code, ultimately resulting in the deployment of Cobalt Strike Beacon on the compromised systems.
ESET identifies APT29’s use of HTML and ISO disk images as an innovative evasion method, designed to circumvent the Mark of the Web (MOTW) protections implemented by Microsoft. The researchers explain that an ISO disk image does not transmit the MOTW to files contained within it, meaning that even downloaded files from the internet do not display security warnings when accessed.
This means perpetrators can effectively bypass safeguards that would typically alert users to the presence of potentially harmful content. Once inside, the adversaries employed a range of ready-made tools to query the target’s Active Directory and execute commands remotely via SMB protocol. Tools such as AdFind, Sharp-SMBExec, and SharpView facilitated reconnaissance and exploitation, particularly targeting vulnerabilities like CVE-2021-36934 for privilege escalation.
ESET’s findings underscore the growing sophistication of APT29, highlighting their persistent threat to western organizations, especially within the diplomatic sector. Their ability to deploy convincing phishing campaigns, combined with strong operational security, poses a considerable cybersecurity risk that warrants attention from business leaders and decision-makers.
