Prime Minister’s Office Compromised

Details of Recent Espionage Campaign

Here we bring you an article by Marc Elias, security researcher, originally published on January 25, 2022.

A special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.

Executive Summary

The Trellix Advanced Threat Research Team identified a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defence industry in Western Asia. As they detail the technical components of this attack, they confirm that they’ve undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments.

Infection chain

The infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server—a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible.

Command and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&CK techniques.

A number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don’t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.

For more details of the Threat you can read the article in full on the Trellix website.

If you’d like more information about Trellix solutions and products, please get in touch and we’ll be happy to put you in touch with a specialist
Related Stories
All-in-one protection for users, data, and devices
All-in-one protection for users, data, and devices

Introducing McAfee Business Protection

Make cybersecurity less stressful with Trellix
Make cybersecurity less stressful with Trellix

Help SecOps relax with simpler security.

What are the latest cyber threats?
What are the latest cyber threats?

Key insights presented by Trellix Threat Labs.

Mission Possible
Mission Possible

Hunting Down and Stopping Stealthy Attackers

Share this story

Rate the Article

Click the link below to rate this article

Rate this article
Have you seen...

Get all of the Azure migration tools and guidance you need to plan and implement your move to the cloud – and track your progress using a central dashboard that provides intelligent insights.

Watch Video
Related Articles