Because hidden files and extensions are hidden by default in Windows, the user may open the malicious payload because they see the ZIP file as an image. By blending in with genuine developer activity, fraudulent URLs become more difficult to detect when using free services. Several APT outfits are starting to use this covert strategy as a trend.

A new version of the X-Agent backdoor malware is being employed in this campaign, giving the attackers the ability to exfiltrate data, execute arbitrary commands, and move laterally within the infected network. Researchers advise all critical infrastructure operators and Polish government entities to exercise caution and put security measures in place.

The highly skilled cyber-espionage group APT28 is thought to be connected to the Russian military intelligence organization GRU. Active since at least 2007, the group has been connected to multiple high-profile attacks, including the 2017 NotPetya ransomware outbreak and the 2016 Democratic National Committee email breach.

This most recent campaign serves as a reminder of the ongoing threat posed by state-sponsored APT groups and the significance of keeping up strong cybersecurity defenses, particularly for vital infrastructure and government networks.

Impact

• Unauthorized Access
• Data Exfiltration
• Command Execution
• Cyber Espionage

Indicators of Compromise

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.