Prime Minister’s Office Compromised
Details of Recent Espionage Campaign
Details of Recent Espionage Campaign
A special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation.
The Trellix Advanced Threat Research Team identified a multi-stage espionage campaign targeting high-ranking government officials overseeing national security policy and individuals in the defence industry in Western Asia. As they detail the technical components of this attack, they confirm that they’ve undertaken pre-release disclosure to the victims and provided all necessary content required to remove all known attack components from their environments.
The infection chain starts with the execution of an Excel downloader, most likely sent to the victim via email, which exploits an MSHTML remote code execution vulnerability (CVE-2021-40444) to execute a malicious executable in memory. The attack uses a follow-up piece of malware called Graphite because it uses Microsoft’s Graph API to leverage OneDrive as a command and control server—a technique our team has not seen before. Furthermore, the attack was split into multiple stages to stay as hidden as possible.
Command and control functions used an Empire server that was prepared in July 2021, and the actual campaign was active from October to November 2021. The below blog will explain the inner workings, victimology, infrastructure and timeline of the attack and, of course, reveal the IOCs and MITRE ATT&CK techniques.
A number of the attack indicators and apparent geopolitical objectives resemble those associated with the previously uncovered threat actor APT28. While we don’t believe in attributing any campaign solely based on such evidence, we have a moderate level of confidence that our assumption is accurate. That said, we are supremely confident that we are dealing with a very skilled actor based on how infrastructure, malware coding and operation were setup.
For more details of the Threat you can read the article in full on the Trellix website.
Introducing McAfee Business Protection
Help SecOps relax with simpler security.
Key insights presented by Trellix Threat Labs.
Get all of the Azure migration tools and guidance you need to plan and implement your move to the cloud – and track your progress using a central dashboard that provides intelligent insights.
Watch VideoLet us know what you think about the article.
Let us know what you’re interested in and the issues that matter to you.