Apr 22, 2024, 04:02 PM
APT29 Adversary Simulation
(untested)
This is a simulation of attack by the Cozy Bear group (APT-29) targeting diplomatic missions. The campaign began with an innocuous and legitimate event. In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed his legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located in Kyiv. The file was titled BMW 5 for sale in Kyiv - 2023.docx. I relied on palo alto to figure out the details to make this simulation: https://unit42.paloaltonetworks.com/cloa...-phishing/
1.DOCX file: created DOCX file includes a Hyperlink that leads to downloading further HTML (HTML smuggling file).
2.HTML Smuggling: The attackcers use the of HTML smuggling to obscure the ISO file.
3.LNK files: When the LNK files (shortcut) are executed they run a legitimate EXE and open a PNG file. However, behind the scenes, encrypted shellcode is read into memory and decrypted.
4.ISO file: The ISO file contains a number of LNK files that are masquerading as images. These LNK files are used to execute the malicious payload.
5.DLL hijacking: The EXE file loads a malicious DLL via DLL hijacking, which allows the attacker to execute arbitrary code in the context of the infected process.
6.Shellcode injection: The decrypted shellcode is then injected into a running Windows process, giving the attacker the ability to execute code with the privileges of the infected process.
7.Payload execution: The shellcode decrypts and loads the final payload inside the current process.
8.Dropbox C2: This payload beacons to Dropbox and Primary/Secondary C2s based on the Microsoft Graph API.
https://github.com/S3N4T0R-0X0/APT29-Adv...Simulation
(untested)
This is a simulation of attack by the Cozy Bear group (APT-29) targeting diplomatic missions. The campaign began with an innocuous and legitimate event. In mid-April 2023, a diplomat within the Polish Ministry of Foreign Affairs emailed his legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located in Kyiv. The file was titled BMW 5 for sale in Kyiv - 2023.docx. I relied on palo alto to figure out the details to make this simulation: https://unit42.paloaltonetworks.com/cloa...-phishing/
1.DOCX file: created DOCX file includes a Hyperlink that leads to downloading further HTML (HTML smuggling file).
2.HTML Smuggling: The attackcers use the of HTML smuggling to obscure the ISO file.
3.LNK files: When the LNK files (shortcut) are executed they run a legitimate EXE and open a PNG file. However, behind the scenes, encrypted shellcode is read into memory and decrypted.
4.ISO file: The ISO file contains a number of LNK files that are masquerading as images. These LNK files are used to execute the malicious payload.
5.DLL hijacking: The EXE file loads a malicious DLL via DLL hijacking, which allows the attacker to execute arbitrary code in the context of the infected process.
6.Shellcode injection: The decrypted shellcode is then injected into a running Windows process, giving the attacker the ability to execute code with the privileges of the infected process.
7.Payload execution: The shellcode decrypts and loads the final payload inside the current process.
8.Dropbox C2: This payload beacons to Dropbox and Primary/Secondary C2s based on the Microsoft Graph API.
https://github.com/S3N4T0R-0X0/APT29-Adv...Simulation
