Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
18.8.23 Phishing The Hacker News
An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors.
The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes).
"The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic," Dutch cybersecurity company EclecticIQ said in an analysis last week.
The infection sequence is as follows: The PDF attachment, named "Farewell to Ambassador of Germany," comes embedded with JavaScript code that initiates a multi-stage process to leave a persistent backdoor on compromised networks.
APT29's use of invitation themes has been previously reported by Lab52, which documented an attack that impersonates the Norwegian embassy to deliver a DLL payload that's capable of contacting a remote server to fetch additional payloads.
The use of the domain "bahamas.gov[.]bs" in both the intrusion sets further solidifies this link. The findings also corroborate prior research from the Anheng Threat Intelligence Center released last month.
Should a potential target succumb to the phishing trap by opening the PDF file, a malicious HTML dropper called Invitation_Farewell_DE_EMB is launched to execute JavaScript that drops a ZIP archive file, which, in turn, packs in an HTML Application (HTA) file designed to deploy the Duke malware.
Command-and-control (C2) is facilitated by making use of Zulip's API to send victim details to an actor-controlled chat room (toyy.zulipchat[.]com) as well as to remotely commandeer the compromised hosts.
EclecticIQ said it identified a second PDF file, likely used by APT29 for reconnaissance or for testing purposes.
"It did not contain a payload, but notified the actor if a victim opened the email attachment by receiving a notification through a compromised domain edenparkweddings[.]com," the researchers said.
It's worth noting that the abuse of Zulip is par for the course with the state-sponsored group, which has a track record of leveraging a wide array of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello for C2.
APT29's primary targets are governments and government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. But in an interesting twist, an unknown adversary has been observed employing its tactics to breach Chinese-speaking users with Cobalt Strike.
The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of phishing attacks against state organizations of Ukraine using a Go-based open-source post-exploitation toolkit called Merlin. The activity is being tracked under the moniker UAC-0154.
The war-torn country has also faced sustained cyber assaults from Sandworm, an elite hacking unit affiliated to Russian military intelligence, primarily intended to disrupt critical operations and gather intelligence to gain a strategic advantage.
According to a recent report from the Security Service of Ukraine (SBU), the threat actor is said to have unsuccessfully attempted to gain unauthorized access to Android tablets possessed by Ukrainian military personnel for planning and performing combat missions.
"The capture of devices on the battlefield, their detailed examination, and the use of available access, and software became the primary vector for the initial access and malware distribution," the security agency said.
Some of the malware strains include NETD to ensure persistence, DROPBEAR to establish remote access, STL to gather data from the Starlink satellite system, DEBLIND to exfiltrate data, and the Mirai botnet malware. Also used in the attacks is a TOR hidden service to access the device on the local network via the Internet.