Fighting Ursa, a Russian threat actor, used a car-for-sale lure to deliver the HeadLace backdoor to diplomats. The operation began in March 2024 and relied on legitimate services like Webhook.site and ImgBB to host malicious content across multiple stages. #FightingUrsa #HeadLace #WebhookSite #Diplomats #CarForSale
Keypoints
- Fighting Ursa is linked to Russian military intelligence and classified as an advanced persistent threat (APT).
- The campaign targeted diplomats using a phishing lure themed around a car for sale.
- The attack used a malicious HTML page hosted on Webhook.site that redirected victims based on OS.
- A ZIP file in the lure contained three files, with the first named IMG-387470302099.jpg.exe designed to deceive as an image.
- The HeadLace backdoor is modular and executes in stages to evade detection.
- The malware chain involves sideloading a DLL using calc.exe and a subsequent BAT file that fetches more content from another Webhook.site URL.
- Palo Alto Networks offers protective solutions and incident response contacts for affected organizations.
MITRE Techniques
- [T1071] Initial Access β Phishing: Used a car advertisement to lure victims into downloading malware. βUsed a car advertisement to lure victims into downloading malware.β
- [T1203] Execution β Malicious File Execution: The malware was executed by tricking users into opening a disguised executable file. βMalicious File Execution: The malware was executed by tricking users into opening a disguised executable file.β
- [T1050] Persistence β Sideloading: Used a legitimate Windows calculator file to sideload the malicious DLL. βSideloading: Used a legitimate Windows calculator file to sideload the malicious DLL.β
- [T1071] Command and Control β Web Service: Used Webhook.site to host malicious content and facilitate command and control. βWeb Service: Used Webhook.site to host malicious content and facilitate command and control.β
Indicators of Compromise
- [File hash] context β cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e, 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb, and 3 more hashes
- [File name] context β IMG-387470302099.jpg.exe, zqtxmo.bat
- [URL] hosting content β hxxps://webhook.site/66d5f9f9-a5eb-48e6-9476-9b6142b0c3ae, hxxps://webhook.site/d290377c-82b5-4765-acb8-454edf6425dd, and 1 more URL (e.g., i.ibb.co/vVSCr2Z/car-for-sale.jpg)
Read more: https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/