Back

Sophisticated Malware Campaign Targets Czech Officials Using NATO-Themed Decoys

Aug. 28, 2024, 9:35 a.m.

Tags

evasion
persistence
injection
rust
2024-08-28
havoc
nato
czech republic
decoy
freeze

External References

https://www.seqrite.com/

https://otx.alienvault.com/

Description

Seqrite Labs APT-Team discovered a sophisticated malware campaign targeting government and military officials in the Czech Republic. The campaign leveraged NATO-themed decoy documents to lure victims and employed a multistage attack chain involving a malicious batch script, a Rust-based loader, and the Havoc post-exploitation framework. The campaign utilized advanced techniques like ETW patching, process injection, and encrypted payloads to evade detection and establish persistence on compromised systems. The threat actor behind the operation appears to have Russian origins and used open-source offensive tools extensively.

Date

Published Created Modified
Aug. 28, 2024, 9:27 a.m. Aug. 28, 2024, 9:27 a.m. Aug. 28, 2024, 9:35 a.m.

Indicators

fda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd

ed6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455

b29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6

ace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9

a05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60

9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e

8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500

6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4

436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84

38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09

1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c

206.188.197.113

https://206.188.197.113/

Attack Patterns

Freeze

Havoc

T1562.006

T1059.005

T1055.002

T1547.001

T1562.001

T1204.002

T1566.001

T1055

T1140

T1033