Threat Research

Diplomats Beware: Cloaked Ursa Phishing With a Twist

Securonix

Cloaked Ursa (APT29) expanded its diplomatic-target espionage with novel, individual-focused phishing lures, including a Kyiv BMW-for-sale campaign that targeted embassies. The operation uses dual C2 channels (Microsoft Graph API and Dropbox) and sophisticated loader/injection techniques to deliver and run payloads while evading detection. #CloakedUrsa #APT29

Keypoints

  • Cloaked Ursa targeted diplomatic missions in Kyiv, reportedly impacting at least 22 embassies, with campaigns designed to broaden reach beyond countries to individuals within the diplomatic community.
  • A novel BMW-for-sale lure repurposed from a legitimate flyer demonstrates attackers’ willingness to reuse credible, real-world contexts to entice targets.
  • The BMW campaign used a Word document named after a legitimate flyer; clicking a link led to a shortened URL that redirected to a coopted site hosting a malicious HTA payload, with the infection flow relying on LNK files masquerading as PNGs.
  • The malware employs DLL side-loading and anti-analysis techniques (including checks for debuggers and multiple CPUs) and injects shellcode into legitimate Windows processes.
  • C2 communications leverage Microsoft Graph API and Dropbox, with string encryption and other obfuscation to hide commands and data, including a BMP-wrapped data channel in Dropbox.
  • A separate Turkey MFA campaign leveraged a similar framework (e-yazi.zip/e-yazi.html) with WinWord-based sideloading and the APPVISVSUBSYSTEMS64 DLL to load and execute shellcode, showing operational overlap with other Cloaked Ursa campaigns.
  • The report provides practical recommendations for diplomats and organizations, including vigilance with URL shorteners, attachments, extensions, and JavaScript, plus targeted training for new diplomats.

MITRE Techniques

  • [T1566.002] Phishing: Spearphishing Link – The lures included shortened URLs that redirected victims to a coopted site hosting a malicious payload. “The key difference with these illegitimate versions is that if a victim clicks on a link offering ‘more high quality photos,’ a URL shortener service will redirect them to a legitimate site.”
  • [T1566.001] Phishing: Spearphishing Attachment – The BMW campaign used legitimate-looking Word documents with the same filenames as a Polish diplomat’s flyer to entice recipients to open them. “Two weeks later, on May 4, 2023, Cloaked Ursa emailed their illegitimate version of this flyer to multiple diplomatic missions throughout Kyiv. These illegitimate flyers … use benign Microsoft Word documents of the same name as that sent by the Polish diplomat.”
  • [T1036] Masquerading – Windows shortcut files masquerading as PNG image files. “Windows shortcut files masquerading as image files.”
  • [T1059.003] Windows Command Shell – The campaign executed commands via a command line during the infection flow. “the following command line is executed.”
  • [T1055] Process Injection – Shellcode is injected into the first two active Windows processes that it can inject into (e.g., taskhost.exe or sihost.exe). “The sample will proceed to open the encrypted payload file found within the ISO file, in this case named ojg2.px. Once read into memory, it will decrypt the file …” (injection described subsequently).
  • [T1574.001] DLL Side-Loading / DLL Hijacking – APPVISVSUBSYSTEMS64.dll is loaded via sideloading and used to load additional DLLs, enabling shellcode execution. “APPVISVSUBSYSTEMS64 is sideloaded … it would open and read the data from okxi4t.z before decrypting it and injecting it into the first running process it can.”
  • [T1497] Virtualization/Sandbox Evasion – Anti-analysis checks (e.g., NtQueryObject to detect debuggers, multiple processors check) to hinder analysis. “The sample contains anti-analysis techniques… checking that the system has more than one processor … use NtQueryObject to search for any existing Debug Objects.”
  • [T1102] Web Service – C2 communications via cloud services (Microsoft Graph API and Dropbox). “For communication, the payload uses both the Microsoft Graph and Dropbox API.”
  • [T1027] Obfuscated/Encrypted Files and Information – The final payload uses string encryption and multiple obfuscation techniques to evade analysis. “The final payload contains a large array of obfuscation techniques, including string encryption and junk functions, as well as modifying exception handling structures…”

Indicators of Compromise

  • [File name] context – bmw.iso, windoc.exe, and other files (e.g., windoc.exe) as part of the sideloaded payload and LNK-based chain.
  • [File hash] context – 311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517, 8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596
  • [URL] context – hxxps://resetlocations[.]com/bmw.htm, hxxps://www.willyminiatures[.]com/e-yazi.html, hxxp://tinyurl[.]com/ysvxa66c
  • [Domain] context – resetlocations.com, simplesalsamix.com, willyminiatures.com
  • [Email] context – dawid.tomaszewski@resetlocations[.]com, ops.rejon4@kazmierz[.]pl
  • [URL] context – hxxp://t[.]ly/1IFg, hxxps://tinyurl[.]com/mrxcjsbs
  • [File name] context – bmw.iso, windoc.exe

Read more: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/