Description
This analysis examines a campaign attributed to the Russian threat actor Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy. The group utilized a phishing lure disguised as an advertisement for a car sale to distribute the HeadLace backdoor malware, likely targeting diplomats. The lure exploited legitimate services like Webhook.site and ImgBB to host various components of the attack chain. The malware employed multi-stage loading tactics, executing a malicious DLL through a batch script to retrieve additional payloads. The campaign aligns with Fighting Ursa's known tactics, techniques, and procedures, demonstrating the group's continued reliance on repurposing successful tactics and abusing free services.
Date
| Published | Created | Modified |
|---|---|---|
| Aug. 5, 2024, 8:30 a.m. | Aug. 5, 2024, 8:30 a.m. | Aug. 5, 2024, 8:34 a.m. |
Indicators
dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b
a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7
7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb
6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
Attack Patterns
HeadLace
Fighting Ursa
T1107
T1105
T1036
T1204
T1027
T1195
T1566
T1059
CVE-2024-3400