Sophisticated Threat Actor Targets Governments, Defense Industry in Western Asia
High-ranking government officials and individuals in the defense industry in Western Asia were targeted in a sophisticated campaign that involved the use of Graphite malware, according to XDR firm Trellix, which resulted from the merger between McAfee Enterprise and FireEye.
The campaign was carried out between October and November last year and split into multiple stages to evade detection. The infection chain started with an Excel downloader exploiting an MSHTML bug (CVE-2021-40444) to execute code in memory and continued with a piece of malware called Graphite.
Based on several attack indicators and apparent geopolitical objectives, the cyberespionage campaign appears to be the work of Russian threat actor APT28, but Trellix researchers are not strongly confident.
A server set up in July 2021 was used for command and control (C&C) functions in these attacks. The employed Graphite malware uses OneDrive as a C&C server and leverages Microsoft’s Graph API to connect to it.
As part of the analyzed attacks, an Excel file that was likely delivered to the victim over email was used to exploit a remote code execution vulnerability in MSHTML to run a malicious DLL file that fetched and executed the Graphite malware (which appears based on the OneDrive Empire Stager).
“It is very likely that the developers of Graphite used the Empire OneDrive Stager as a reference due to the similarities of the functionality and the file structure used in the OneDrive account of the actors,” Trellix says.
At the fourth stage of the attack, different Empire stagers were executed to download an Empire agent on the victim’s machine. The fifth stage of the attack was an Empire PowerShell C# stager, followed by an Empire HTTP PowerShell stager.
The attacks targeted government entities and individuals related to the defense industry in Asia, but Trellix believes that Poland and other Eastern European countries might have been targeted as well, although the complete victimology is yet unknown.
Based on the analysis of numerous artifacts associated with these attacks, the researchers identified overlaps with older malware samples attributed to APT28, but no hard evidence was found to strongly attribute the campaign to this threat actor.
Also tracked as Fancy Bear, Pawn Storm, Sednit, Strontium and Tsar Team, and believed to be a military unit of Russia’s General Staff Main Intelligence Directorate (GRU), APT28 was previously accused of targeting the 2016 presidential elections in the United States and of cyberattacks on NATO countries.
“The actors behind the attack seem very advanced based on the targeting, the malware and the infrastructure used in the operation, so we presume that the main goal of this campaign is espionage. With a low and moderate confidence, we believe this operation was executed by APT28,” Trellix concludes.