Analysis
The Russia-linked threat actor known as APT29 targeted European diplomatic missions and Ministries of Foreign Affairs as part of a series of spear-phishing campaigns, take additional information like drop additional malware for gathering information about the hosts and other machines in the same network.
The spear-phishing attacks commenced with a COVID-19-themed phishing email impersonating the Iranian Ministry of Foreign Affairs and containing an HTML attachment that, when opened, prompts the recipients to open or save what appears to be an ISO disk image file (“Covid.iso”).
Victim opt to open or download the file, “a small piece of JavaScript decodes the ISO file, which is embedded directly in the HTML attachment.” The disk image file, in turn, includes an HTML application that’s executed using mshta.exe to run a piece of PowerShell code that ultimately loads the Cobalt Strike Beacon onto the infected system.
Effected Part
- European diplomatic missions
- Ministries of Foreign
Mitigation
- Quarantining suspicious emails.
- Get your password security under control (Eg.2FA).
- Try to avoid installation of third-party software’s.
- Keep software patched and updated.
- Perform regular system backups.
Reference
