Audi Q7 Car For Sale – But Malware Will be Delivered Instead of Car

A Russian likelihood actor identified as Battling U.s.a. (on the total identified as APT28, Cherish Endure, and Sofacy) has been identified in a brand original campaign that began in March 2024.

This campaign uses a untrue car sale advertisement to distribute the HeadLace backdoor malware, primarily concentrating on diplomats. The campaign leverages respectable services and products honest like Webhook.web online page to host malicious URLs, making detection and mitigation extra disturbing.

The below decoy list advertises a car on the market, particularly an Audi Q7 Quattro SUV. This untrue advertisement is titled “Diplomatic Car For Sale.”

This campaign is attributed to Fightig U.s.a. with medium to excessive confidence primarily primarily based totally on the ways, tactics, and procedures (TTPs) observed, moreover the utilization of the HeadLace backdoor, which is weird and wonderful to this likelihood actor. The neighborhood is identified for the utilization of public and free services and products to host varied stages of their assaults and for repurposing a success ways.

Per the Unit 42 document, “The list offers diversified views of the vehicle. The list furthermore contains contact small print that are doubtless untrue, moreover a phone quantity primarily primarily based mostly in Romania. In some draw, the list furthermore lists the point of contact as the Southeast European Law Enforcement Heart, perchance to lend this untrue advertisement extra credibility.”

Initial Infection Job

The infection chain begins with a URL hosted on Webhook.web online page, a respectable service outmoded for developing randomized URLs for automation functions. The malicious URL used to be submitted to VirusTotal on March 14, 2024.

The HTML web thunder hosted on Webhook.web online page assessments if the visiting system is Windows-primarily primarily based mostly and redirects non-Windows programs to a decoy list hosted on ImgBB, but another respectable service.

The HTML web thunder then creates a ZIP archive from Base64 text internal the HTML, offers it for derive, and makes an strive to originate it the utilization of JavaScript. The ZIP file, named IMG-387470302099.zip, contains three recordsdata: IMG-387470302099.jpg.exe, WindowsCodecs.dll, and zqtxmo.bat.

The file IMG-387470302099.jpg.exe uses a double extension to disguise itself as an list file. It is miles a copy of the respectable Windows calculator utility (calc.exe) and is outmoded to sideload the incorporated DLL file, WindowsCodecs.dll, which is half of the HeadLace backdoor.

The DLL file incorporates a characteristic that executes the batch file zqtxmo.bat, which begins Microsoft Edge to flee Base64-encoded thunder material. This thunder material is a hidden iframe that retrieves extra recordsdata from but another Webhook.web online page URL. The batch file then saves this thunder material as IMG387470302099.jpg, moves it to the %programdata% directory, renames it to IMG387470302099.cmd, and executes it sooner than deleting itself to quilt its tracks.

Battling U.s.a. continues to evolve its ways, leveraging respectable web services and products for malicious functions. Continuous vigilance and updated safety features are significant to protect against such refined threats.

Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access

Indicators of Compromise

HTML web thunder hosted on webhook web online page with decoy list and payload zip file:

• cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e

Car on the market list trap:

• 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb

ZIP file containing calc.exe, malicious DLL and BAT file:

• dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027

Reliable calc.exe abused to sideload the malicious DLL:

• c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b

Malicious file named WindowsCodecs.dll sideloaded by calc.exe:

• 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96

Batch file named zqtxmo.bat performed by the above malicious DLL:

• a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7

URLs that hosted thunder material for this campaign:

• hxxps[:]//webhook[.]web online page/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae
• hxxps[:]//webhook[.]web online page/d290377c-82b5-4765-acb8-454edf6425dd
• hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg