Here we bring you an article by Marc Elias, security researcher, originally published on January 25, 2022.
A special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.
The Trellix Advanced Threat Research Team identified a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defence industry in Western Asia. As they detail the technical components of this attack, they confirm that they’ve undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments.
The infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server—a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible.
Command and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&CK techniques.
A number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don’t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.
For more details of the Threat you can read the article in full on the Trellix website.
If you’d like more information about Trellix solutions and products, please get in touch and we’ll be happy to put you in touch with a specialist