BlueBravo uses the GraphicalProton malware to target diplomats

BlueBravo, a Russian state-sponsored threat group, leverages the GraphicalProton backdoor to target Eastern European diplomatic entities. Based on reports, the phishing campaign uses a legitimate internet service for C2 obfuscation. Moreover, the researchers claimed that they spotted this campaign between March and May.

In addition, threat analysts claimed that the GraphicalProton malware is the latest addition to the list of backdoor strains that target diplomatic organisations. One of the first malware strains that targeted European diplomats is GraphicalNeutrino, also known as QUARTERRIG, HALFRIG, and SNOWYAMBER.

 

GraphicalProton uses other platforms for its command-and-control.

 

The GraphicalProton backdoor utilises OneDrive or Dropbox for communication, unlike GraphicalNeutrino, which uses Notion for its C2.

This detail indicates that the BlueBravo operators are trying to diversify their arsenal while expanding their services to infect more organisations that could allow Russia to gain a strategic advantage.

Additionally, BlueBravo has prioritised cyber espionage campaigns against European government entities since the Russian government is still in a geopolitical conflict with Ukraine.

Threat analysts explained that GraphicalProton is a loader stored within a ZIP or ISO archive like GraphicalNeutrino. In addition, the threat operators typically spread the malware through a phishing email that contains vehicle-themed lures.

Furthermore, the threat actors’ ISO archives contain [.]LNK files that pose as [.]PNG images of a BMW car that overlaps with another cybercriminal campaign uncovered earlier this month to deploy a malware strain.

The attackers achieve such attacks by utilising OneDrive as its command-and-control server and constantly polling a folder in the storage service to recover additional payloads.

Researchers said it should be expected for network defenders to be aware of the potential misuse of such services within their enterprise and to spot instances where an actor could use similar malicious efforts to exfiltrate data.

Organisations and users should be wary of phishing emails containing sketchy services and products too good to be true to avoid infections or conflicts. The Ukrainian cybersecurity team expects these cybercriminal campaigns to grow as the battle against Russia stands.