The ITG05 group, which is believed to be a Russian state-sponsored entity, has been leveraging the Israel-Hamas conflict as a theme in phishing campaigns to deliver the Headlace malware. Here's a detailed overview of their operations based on information from IBM X-Force:
Campaign Overview: The group has been using lure documents featuring the ongoing Israel-Hamas war to deliver the Headlace backdoor. These campaigns target entities in at least 13 nations worldwide and use authentic documents from academic, finance, and diplomatic centers.
Target Audience and Lure Contents: The lures are designed to appeal to audiences interested in research and policy creation. The campaign targets entities influential in the allocation of humanitarian aid, primarily in Europe. The lures include legitimate documents associated with finance, think tanks, educational organizations, and NGOs.
Execution Chains for Headlace Malware: ITG05 has implemented three execution chains for the Headlace malware:
Via WinRAR Vulnerability: Exploiting CVE-2023-38831 in WinRAR. If a victim with a vulnerable WinRAR application opens the archive, the Headlace dropper is executed in the background while presenting a lure document.
Via DLL Hijacking: Delivering a legitimate Microsoft Calc.exe binary susceptible to DLL hijacking, which, when executed, loads a malicious DLL to run the Headlace CMD dropper.
Direct Execution: Directing victims to execute the Headlace CMD dropper disguised as a Windows update script.
Initial Lures and Infection Chain: Earlier ITG05 operations featuring Headlace used adult-themed lures. The recent shift to using official documents as lures indicates a focus on a specific target audience. The infection starts with phishing URLs leading to downloads from legitimate staging services, where a JavaScript-based browser enumeration script verifies the user agent and geolocation of the victim.
Follow-up Payloads and Data Exfiltration: Once the system is compromised, follow-up payloads are used to capture NTLM credentials or SMB hashes of user accounts for exfiltration via the TOR network. ITG05 also employs custom exfiltration tools such as Graphite and Credomap.
This analysis highlights the sophistication of ITG05's operations and the importance of being vigilant against state-sponsored cyber threats that leverage current events as lures for targeted cyber espionage activities.
IoC
HOSTNAME
- run.mocky.io
- downloadingdoc.infinityfreeapp.com
- downloaddoc.infinityfreeapp.com
- document-c.infinityfreeapp.com
DOMAIN
- mockbin.org
- infinityfreeapp.com
URL
- https://mockbin.org/bin/92354a6a-ba1f-4a1a-abea-fba269cabd66
- https://mockbin.org/bin/902ca47f-644d-4d44-88ec-060fdb7acaa4
- https://mockbin.org/bin/7cc44695-0c31-4620-bed4-2e60adf0a4b6
- https://mockbin.org/bin/229f6d51-f534-466f-b642-e86811631083
REFERENCES
- https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/
- https://otx.alienvault.com/pulse/6579b53c00375a2dcfaaf952
TAGS
itg05, september, ukraine, azerbaijan, israel, razumkov centre, belarus, service, winrar, nishang, graphite, credomap, gootloader, wailingcrab, mocky
No comments:
Post a Comment