HQ/EMEAFind out how we can help your business
APT29, one of Russia’s state-sponsored hacking groups, has been employing uncommon lures, such as car listing, to lure Western diplomats into clicking on malicious links that could deploy malware.
Based on reports, APT29 is an affiliate of the Russian government’s Foreign Intelligence Service. This group is responsible for multiple cyberespionage operations that target high-profile individuals worldwide.
APT29 uses BMW car advertisements to entice diplomats into clicking their baits.
According to recent investigations, the APT29 Russian threat group leverages a fake BMW car advertisement to target Western diplomats in Kyiv, Ukraine.
The attackers send these sale fliers to targeted diplomats’ email addresses. The listings mimic a legitimate car sale and circulate for two weeks before a Polish diplomat prepares to leave Ukraine.
Once a recipient clicks the “more high-quality photos” button on the link, the email will redirect them to an HTML page that delivers malicious ISO file payloads through HTML smuggling.
HTML smuggling is a tactic utilised by cybercriminals in phishing attacks that employ HTML5 and JavaScript to obfuscate malicious payloads in encoded strings in an HTML attachment or webpage. A campaign then decodes these strings through a browser when a user accesses the attachment or opens a link.
Hence, threat actors could evade security software solutions using such tactics since the malicious code is hidden and could be decoded by rendering in the browser.
Researchers noted that the photos used by the actors in the lure are PNG images, which are LNK files that trigger the infection process.
Furthermore, a target could launch a legitimate executable that utilises DLL side-loading to inject shellcode into the current process in memory when the victim accesses any of the LNK files that pose as PNG images.
Further investigation showed that the campaign has already targeted 22 of the 80 foreign diplomats in Kyiv. The confirmed diplomats came from countries such as the United States, Spain, Greece, Netherlands, Canada, Turkey, Demark, and Estonia.
Finally, approximately 80% of the email addresses receiving malicious BMW car listings are publicly accessible online. Therefore, the APT29 group could have sourced the other 20% through intelligence collection and account compromise.
