APT28 campaign directed against Polish government institutions

MITRE Techniques

• [T1566.002] Spearphishing Link – The campaign sent e-mails with content intended to arouse the recipient’s interest and persuade him to click on the link. [The campaign sent e-mails with content intended to arouse the recipient’s interest and persuade him to click on the link.]
• [T1204.002] User Execution – If the victim runs the file IMG-238279780.jpg.exe which is a harmless calculator, during startup it will try to load a library WindowsCodecs.dll that was substituted by the attackers. This is a technique known as DLL Side-Loading. [If the victim runs the file IMG-238279780.jpg.exe which is a harmless calculator, during startup it will try to load a library WindowsCodecs.dll that was substituted by the attackers. This is a technique known as DLL Side-Loading.]
• [T1574.002] Hijack Execution Flow – DLL Side-Loading – The archive actually substitutes WindowsCodecs.dll to load the attacker-provided BAT script. [This is a technique known as DLL Side-Loading.]
• [T1071.001] Web Protocols – The campaign uses web services (webhook.site and run.mocky.io) as a C2/logging channel and delivery conduit via HTTP(S). [The link directs to an address in the domain run.mocky.io. It is a free service used by developers to create and test APIs. In this case, it was used only to redirect to another website webhook.site allowing logging all queries to the generated address and configuring responses to them.]
• [T1059.003] Windows Command Shell – The BAT script and subsequent commands operate via batch scripting and Windows command-line actions to download and execute payloads. [The BAT script opens the Microsoft Edge browser, which loads the base64-encoded page content to download another batch script (also using the website webhook.site).]