PDF lures that contain Duke malware targets NATO countries

Hackers execute a new cybercriminal campaign that targets NATO countries with PDF lures that carry the Russian-linked payload, Duke malware. Based on reports, the malware is the primary weapon of the Russian state-sponsored threat group called APT29, also known as Cozy Bear, Nobelium, and The Dukes.

The new campaign deployed two files, of which one file did not contain a payload but notified the operators if a victim opened the email attachment, indicating that it was for testing or reconnaissance.

The compromised PDFs pose as a diplomatic invitation from a German embassy. Researchers claimed these lures are a broader global campaign targeting the diplomatic corps.

The reports did not directly attribute the new lures that target the German embassy to APT29. However, the researchers noted that some details in the operation closely resemble the tactic employed by the Russian state-sponsored threat group.

 

The Duke malware operators exploit a previously compromised legitimate web domain.

 

According to investigations, the Duke malware campaign utilises the genuine web domain bahamas.gov.bs to distribute its PDF lures. However, separate research revealed that a particular operation uses the same domain to impersonate the Norwegian embassy to target diplomatic entities with invitation lures.

Therefore, the researchers confidently claim that the new cybercriminal campaign using PDF files is the same threat actors impersonating the Norwegian embassy.

Russia’s cyber espionage campaign against Europe has surged since the start of its geopolitical conflict with Ukraine. Experts noticed that the most affected countries close to Kyiv, like Poland, Latvia, and Lithuania.

APT29, the alleged operator of the new campaign, is notorious for exploiting legitimate web services for malware C2. Furthermore, the group’s director is one of Russia’s SVR officers that gathers political and economic information from other countries.

This group’s primary targets are political organisations, research firms, governments, and critical industries, such as healthcare, education, technology, and finance in Europe and the United States.

Researchers noted that the APT29 cyberespionage group has executed cybercriminal attacks that target the Ukrainian military and political parties since the start of the conflict. They expect that this will continue as long as Russia funds the actors.