The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat.
The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023.
BlueBravo, also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia’s Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts.
To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG.
“Unlike GraphicalNeutrino, which used Notion for C2, GraphicalProton uses Microsoft’s OneDrive or Dropbox for communication,” the cybersecurity firm said.
This marks an attempt on the part of BlueBravo operators to not only diversify their tooling but also expand the portfolio of services misused for targeting organizations that are of strategic interest to the nation.
“BlueBravo appears to prioritize cyber espionage efforts against European government sector entities, possibly due to the Russian government’s interest in strategic data during and after the war in Ukraine.”
The new malware strain, like GraphicalNeutrino, functions as a loader and is staged within an ISO or ZIP file delivered via a phishing email bearing vehicle-themed lures, overlapping with an intrusion set reported by Palo Alto Networks Unit 42 earlier this month.
Shield Against Insider Threats: Master SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.
The ISO files contain .LNK files that masquerade as .PNG images of a BMW car that’s purportedly for sale, which, when clicked, leads to the deployment of GraphicalProton for follow-on exploitation. This is achieved by using Microsoft OneDrive as C2 and periodically polling a folder in the storage service to fetch additional payloads.
“It is imperative for network defenders to be aware of the possibility of the misuse of these services within their enterprise and to recognize instances in which they may be used in similar efforts to exfiltrate information,” researchers said.
The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of ongoing phishing attacks undertaken by a group called UAC-0006 group, which the agency said is intensifying efforts to entice users into installing a backdoor known as SmokeLoader.