- “Ducktail” Hackers Target Facebook - September 28, 2023
- Okta Breach: Super Admin Hack - September 24, 2023
- Rackspace: $10.8M Cloud Shift - September 23, 2023
The BlueBravo organization is infecting diplomatic institutions in Eastern Europe with a new “GraphicalProton” backdoor, according to threat experts from the company Recorded Future. The period of activity was from March to May 2023.
BlueBravo (APT29, Cloaked Ursa, Midnight Blizzard, Nobelium) is adept at communicating with an infected host’s command and control server (C2) while avoiding detection via Dropbox, Firebase, Google Drive, Notion, and Trello.
What is Known About the Malware
Previously, BlueBravo utilized phony papers to distribute the CobaltStrike Beacon stager known as HALFRIG, the GraphicalNeutrino (SNOWYAMBER), and QUARTERRIG malware loaders. Instead of using Notion like GraphicalNeutrino did to connect to the C2 server, GraphicalProton makes use of Microsoft OneDrive or Dropbox.
Hosting for GraphicalProton is done using ISO or ZIP files sent via phishing emails with fake papers with auto-related themes. An LNK file disguised as a PNG image of a BMW automobile that is ostensibly for sale is included in the ISO package.
The GraphicalProton backdoor is opened for further exploitation when the picture is clicked. It is highlighted that in order to contact the C2 server and obtain further payloads, attackers use Microsoft OneDrive.
APT29 has been connected to a SolarWinds assault in 2020 that was directed against US and international government agencies, businesses, and defense contractors. Private information was leaked as a result of the campaign.