EclecticIQ analyzes a campaign targeting NATO-aligned ministries of foreign affairs, where PDFs impersonating the German embassy deliver a Duke malware variant via HTML smuggling and DLL sideloading, with Zulip used as a covert C2 channel. This operation is attributed to APT29, leveraging sophisticated obfuscation and LOLBIN techniques to evade detection. #APT29 #Duke #Zulip #GermanEmbassyLure
Keypoints
- Two malicious PDFs masquerade as German embassy documents inviting recipients, delivering a multi-stage payload and a Duke variant.
- One lure also functions as a test/reconnaissance document, notifying the actor if opened, without delivering a payload.
- The campaign uses HTML smuggling to pipeline a ZIP containing a malicious HTML Application (HTA) which ultimately deploys Duke via DLL sideloading.
- DLL sideloading is used to execute Duke, dropping AppVIsvSubsystems64.dll, Mso.dll, and Msoev.exe in WindowsTasks to enable execution.
- Duke variant exhibits anti-analysis and evasion: Windows API hashing and XOR-encrypted strings to hide API calls and data.
- Zulip is used for C2, blending with legitimate web traffic and sending victim details to a threat actor-controlled chat room.
- Attribution ties the activity to APT29 (Cozy Bear/Nobelium) with broader OSINT linking to Russian SVR and previous Duke campaigns.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Two observed PDFs masquerade as coming from the German embassy and contained two diplomatic invitation lures. ‘The two observed PDF documents masquerade as coming from the German embassy, and contained two diplomatic invitation lures.’
- [T1574.002] DLL Side-Loading – DLL Sideloading Abused to Execute Duke Variant Malware. ‘After execution, the HTA file will drop the three executables into the C:WindowsTasks directory for DLL Sideloading: AppVIsvSubsystems64.dll … Mso.dll … Msoev.exe.’
- [T1027.006] HTML Smuggling – HTML Smuggling used to deliver a ZIP file that contained a malicious HTML Application (HTA). ‘Invitation_Farewell_DE_EMB is an HTML file. Through HTML smuggling, the threat actor delivered a ZIP file that contained a malicious HTML Application (HTA).’
- [T1027.009] Embedded Payloads – The zipped HTA file eventually delivers a Duke malware variant. ‘The zipped HTA file eventually delivers a Duke malware variant (Figure 4).’
- [T1027.007] Dynamic API Resolution – Windows API hashing to hide the names of the Windows API function calls. ‘Windows API hashing to hide the names of the Windows API function calls.’
- [T1218.005] System Binary Proxy Execution: Mshta – HTA via mshta.exe. ‘…delivers a DLL Sideloading …’ and ‘mshta.exe [4]’
- [T1071.001] Application Layer Protocol: Web Protocols – C2 over Zulip chat service to blend with web traffic. ‘Zulip is an open-source chat application … used for command-and-control, to evade and hide its activities behind legitimate web traffic.’
- [T1204.002] User Execution: Malicious File – User execution of the PDF/HTA leads to payload delivery. ‘User execution of the PDF lure document’ (implied by the phishing process).
- [T1584.006] Compromise Infrastructure: Web Services – C2 communication via Zulip (web services) to blend with legitimate traffic. ‘The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic.’
Indicators of Compromise
- [File Hash] PDF lure – Fc53c75289309ffb7f65a3513e7519eb, 50f57a4a4bf2c4b504954a36d48c99e7
- [Domain] C2 Servers – toyy.zulipchat.com, sgrhf.org.pk, edenparkweddings.com
- [File Hash] Duke malware variant – 0be11b4f34ede748892ea49e473d82db, 5e1389b494edc86e17ff1783ed6b9d37, d817f36361f7ac80aba95f98fe5d337d
- [File Name] PDF lure attachments – Invitation.pdf, Invitation_Farewell_DE_EMB.html
- [File Name] Duke-related binaries – Msoev.exe, Mso.dll, AppVIsvSubsystems64.dll