HQ/EMEAFind out how we can help your business
Poland claims a state-sponsored threat cell associated with the Russian GRU has been attacking Polish government institutions earlier this week.
According to the country’s Computer Security Incident Response Team (led by the Polish Minister of National Defense) and CERT Polska (the Polish computer emergency response team), they discovered evidence that the Russian APT28 state hackers launched a massive phishing campaign against multiple Polish government institutions.
Based on reports, the phishing emails attempted to deceive the recipients into opening an embedded link that would provide the threat actors access to more information about a “mysterious Ukrainian woman” selling “used underwear” to “senior authorities in Poland and Ukraine.”
Once a recipient clicks the link, it will be redirected to several websites before arriving at a landing page where it can download a ZIP package. The phishing bundle includes a malicious executable disguised as a JPG image file and two hidden files: a DLL and a.BAT script.
The alleged threat group affiliated with the Russian GRU uses misdirection to deploy their malicious payload into a victim’s system.
When the target opens the disguised executable file launched by the alleged affiliate of the Russian GRU, it loads the DLL using DLL side loading, which executes the secret script. The script shows a snapshot of a woman in a swimsuit in the MS Edge browser as a distraction while downloading a CMD file and converting its extension to JPG.
A researcher explained that the script collects only information about the computer (IP address and list of files in selected folders) on which they were launched and then sends them to the command-and-control server.
In addition, the researcher suspects that the attackers have pre-selected the victims’ computers so that they would receive a different set of endpoint scripts.
APT28’s participation in these attacks may be factual as the tactics and infrastructure employed in these assaults are identical to those used in another highly targeted effort that their operators leveraged in the Israel-Hamas war baits to infect the backdoor devices of officials from 13 countries, including United Nations Human Rights Council members, with Headlace malware.
Since its establishment in the mid-2000s, the Russian state-sponsored hackers have organised numerous high-profile cyberattacks and were linked to the GRU’s Military Unit. Hence, experts expect these attacks to increase more as the tension in different parts of the globe arises.
