BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities

2023-07-28 08:54

The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat.

The phishing campaign is characterized by the use of legitimate internet services for command-and-control obfuscation, Recorded Future said in a new report published Thursday.

BlueBravo, also known by the names APT29, Cloaked Ursa, and Midnight Blizzard, is attributed to Russia's Foreign Intelligence Service, and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts.

To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino, HALFRIG, and QUARTERRIG. "Unlike GraphicalNeutrino, which used Notion for C2, GraphicalProton uses Microsoft's OneDrive or Dropbox for communication," the cybersecurity firm said.

This marks an attempt on the part of BlueBravo operators to not only diversify their tooling but also expand the portfolio of services misused for targeting organizations that are of strategic interest to the nation.

"BlueBravo appears to prioritize cyber espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine."

News URL

https://thehackernews.com/2023/07/bluebravo-deploys-graphicalproton.html

#backdoor #european