Security News > 2022 > February > Russian APT Hackers Used COVID-19 Lures to Target European Diplomats
The Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns mounted in October and November 2021.
The spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file.
Should the victim opt to open or download the file," a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.
" The disk image file, in turn, includes an HTML application that's executed using mshta.
ESET also characterized APT29's reliance on HTML and ISO disk images as an evasion technique orchestrated specifically to evade Mark of the Web protections, a security feature introduced by Microsoft to determine the origin of a file.
"An ISO disk image doesn't propagate the so-called Mark of the Web to the files inside the disk image," the researchers said.
News URL
https://thehackernews.com/2022/02/russian-apt-hackers-used-covid-19-lures.html
Related news
- Russian hackers deliver malicious RDP configuration files to thousands (source)
- Russian Hackers Exploit New NTLM Flaw to Deploy RAT Malware via Phishing Emails (source)
- Russian Hackers Deploy HATVIBE and CHERRYSPY Malware Across Europe and Asia (source)
- Faraway Russian hackers breached US organization via Wi-Fi (source)
- Firefox and Windows zero-days exploited by Russian RomCom hackers (source)
- APT-C-60 Hackers Exploit StatCounter and Bitbucket in SpyGlace Malware Campaign (source)
- Wanted Russian Hacker Linked to Hive and LockBit Ransomware Arrested (source)
- North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft Attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)
- Russian hackers hijack Pakistani hackers' servers for their own attacks (source)