Threat Research

New invitation from APT29 to use CCleaner

Securonix

The article outlines a new APT29 campaign called “Information,” detailing an SVG dropper, DLL side-loading, and C2 behaviour used in a multi-stage infection. It describes an email phishing chain impersonating the Norwegian embassy, HTML smuggling via an SVG, and a staged payload including CCleanerReactivator and CCleanerDU with updated C2 communication. #APT29 #CCleanerReactivator #CCleanerDU #NorwegianEmbassy #SVGDropper

Keypoints

  • The article discusses a new APT29 operation named “Information” introducing an SVG-based dropper, DLL infection, and C2 activity.
  • The phishing email uses the subject “Invitation – Santa Lucia Celebration” and impersonates the Norwegian embassy, delivering an .svg attachment.
  • Opening the file leads to an ISO (.iso) being downloaded, containing Stage1 and Stage2 components (Invitation.lnk, CCleanerReactivator.exe, CCleanerReactivator.dll, CCleanerDU.dll).

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The input vector for this campaign has been the email. The phishing email used by the authors has the subject “Invitation – Santa Lucia Celebration”.
  • [T1574.002] DLL Side-Loading – The malicious activity will therefore be found in the CCleanerReactivator.dll and CCleanerDU.dll libraries, which will be loaded by the executable using the DLL Side-Load technique.
  • [T1059.003] Windows Command Shell – The first file (Invitation.lnk) launches a command that uses Robocopy to copy files and start CCleanerReactivator.exe.
  • [T1105] Ingress Tool Transfer – Opening the SVG drops a script that mounts and downloads an ISO containing the next infection stage.
  • [T1071.001] Web Protocols – The C2 communications are established via wininet.dll using InternetOpenA/InternetConnectA/HttpOpenRequestA/HttpSendRequestA/InternetReadFile/InternetCloseHandle.
  • [T1057] Process Discovery – The code lists all running processes with CreateToolhelp32Snapshot, Process32First, and Process32Next for exfiltration buffering.

Indicators of Compromise

  • [File] Email attachments and payloads – Invitation – Santa Lucia Celebration.msg (966E070A52DE1C51976F6EA1FC48EC77F6B89F4BF5E5007650755E9CD0D73281), Invitation.svg (4875A9C4AF3044DB281C5DC02E5386C77F331E3B92E5AE79FF9961D8CD1F7C4F), Invitation.iso (AF1922C665E9BE6B29A5E3D0D3AC5916AE1FC74AC2FE9931E5273F3C4043F395), Invitation.lnk (A8AE10B43CBF4E3344E0184B33A699B19A29866BC1E41201ACE1A995E8CA3149), CCleanerReactivator.exe (59E5B2A7A3903E4FB9A23174B655ADB75EB490625DDB126EF29446E47DE4099F), CCleanerDU.dll (D7BDA5E39327FE12B0C1F42C8E27787F177A352F8EEBAFBE35D3E790724ECEFF), CCleanerReactivator.dll (7FC9E830756E23AA4B050F4CEAEB2A83CD71CFC0145392A0BC03037AF373066B)
  • [URL] C2 – hxxps://kefas[.]id/search/s.php

Read more: https://lab52.io/blog/2344-2/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint