August 5, 2024 at 07:47AM
Fighting Ursa, a prolific Russian cyber threat group, is targeting diplomats with a used car sale phishing scheme, distributing HeadLace backdoor malware. The attack, which involves disguising executables as image files, aims to establish persistent access for data theft and surveillance. The group has a history of high-profile cyber offensives and has targeted Ukrainian government bodies using various tactics.
Based on the meeting notes, here are the key takeaways:
– The threat actor known as Fighting Ursa is targeting diplomats using a used car sale phishing scheme that distributes HeadLace backdoor malware.
– They are using a .ZIP file containing car images that are actually executables with hidden .EXE extensions to deceive targets. The lure also includes a Romanian phone number and contact at the Southeast European Law Enforcement Center for credibility.
– Fighting Ursa has been associated with other Russian threat actors, and they frequently rely on freely available services for their infrastructure.
– The attack chain involves hosting a malicious HTML page using the legitimate service “webhook,” and then delivering the HeadLace backdoor through a series of steps involving a Windows calculator executable, a malicious DLL, and a batch script.
– The group has a history of high-profile cyber offensives, including US election interference, NotPetya attacks, Olympic Destroyer effort, and attacks targeting Ukrainian government bodies, energy infrastructure, and exploiting CVE-2022-30190 and CVE-2022-38028 flaws.
Let me know if you need any further assistance!