Today > | 7 High | 13 Medium | 5 Low vulnerabilities   -   You can now download lists of IOCs here!

Fighting Ursa Luring Targets With Car for Sale

Aug. 5, 2024, 8:34 a.m.

Description

This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure exploited legitimate services like Webhook.site and ImgBB to host various components of the attack chain. The malware employed multi-stage loading tactics, executing a malicious DLL through a batch script to retrieve additional payloads. The campaign aligns with Fighting Ursa's known tactics, techniques, and procedures, demonstrating the group's continued reliance on repurposing successful tactics and abusing free services.

Date

Published: Aug. 5, 2024, 8:30 a.m.

Created: Aug. 5, 2024, 8:30 a.m.

Modified: Aug. 5, 2024, 8:34 a.m.

Indicators

dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027

cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e

c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7

7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb

6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96

Attack Patterns

HeadLace

Fighting Ursa

T1107

T1105

T1036

T1204

T1027

T1195

T1566

T1059

CVE-2024-3400