Fighting Ursa Luring Targets With Car for Sale

Description

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure exploited legitimate services like Webhook.site and ImgBB to host various components of the attack chain. The malware employed multi-stage loading tactics, executing a malicious DLL through a batch script to retrieve additional payloads. The campaign aligns with Fighting Ursa's known tactics, techniques, and procedures, demonstrating the group's continued reliance on repurposing successful tactics and abusing free services.