Three cybersecurity experts have uncovered a massive hacking operation targeting diplomatic embassies. A group of Russian hackers pose as employees of these embassies in order to trick their victims into downloading the malicious attachment to their email. Once done, malware infects the PC and recovers a large amount of confidential data.
In recent years, the Russian pirate scene has been widely talked about. Today, hackers from the country are among the most dangerous in the world, not hesitating to attack government authorities via attacks that sometimes have dramatic fallout. Since the start of the war in Ukraine, the latter have shown what they are capable of by hacking into power plants or even by taking control of the Facebook accounts of soldiers.
Today, a new operation was discovered by three cybersecurity experts from the Mandiant company. The group of hackers behind it is called APT29, and has the particularity of benefiting from the unofficial support of the Russian government. In other words, these targets are chosen according to the political interests of Russia. This is why APT29 is now attacking embassies.
Russian phishing campaign targets embassies and diplomats
The first traces of the attack date back to January 2022. Mandiant says the operation went on at least until March this year through several successive waves. To begin with, the hackers took over the email addresses posted on the official websites of the embassies. In this way, they made sure not to arouse suspicion in their victims.
Once done, they targeted other diplomats and embassy employees by sending them an email, claiming a change in the rules of procedure, in order to get their attention. The email in question contains an attachment which may turn out to be an image or an ISO file. In reality, the file contains an INK file, i.e. a Windows shortcut, which they camouflaged using an extension and a fake icon.
When the INK file is opened, it executes a malicious DLL file. In turn, the DLL file initiates the download of BOOMIC using the BEATDROP application, a malware that launches directly into the computer’s memory and connects to the online tool Trello, which is very popular in the world. within companies. Again, using this tool allows hackers to go unnoticed. What’s more, it allows them to recover other email addresses of the collaborators of targeted diplomats.
Embassies have their network infiltrated and their confidential data stolen
When BOOMIC is launched, it performs various tasks ranging from retrieving keyboard inputs, saving screenshots, installing a proxy server, but also more serious things like exfiltrating account credentials or port scanning. Finally, the malware is capable of modifying the Windows Registry in order to download other malicious codes and applications.
Related — Ransomware: Russian hackers pocketed 74% of ransoms in 2021
In less than 12 hours, the APT29 hackers manage to obtain the highest level of privileges within the embassy network, which among other things gives them permission to write files containing Kerberos tickets. From then on, they can scan the entire network for other victims and email addresses to send BOOMIC to.
“Analysis of SharedReality.dll has identified that it is a memory-only dropper written in the Go language that decrypts and executes an embedded BEACON payload. The BEACON payload was identified as SMB BEACON which communicates through the Named Pipe of SharedReality.dll”Mandiant said in his press release.