Cybercriminals have decided not to limit themselves to tools and are increasing their portfolio.
Threat researchers from the company Recorded Future report that the BlueBravo group infects diplomatic institutions in Eastern Europe with a new backdoor "GraphicalProton". Activity was observed in the period from March to May 2023.
BlueBravo (APT29, Cloaked Ursa, Midnight Blizzard, Nobelium) has experience using Dropbox, Firebase, Google Drive, Notion, and Trello to establish Command and Control (C2) server communication with infected hosts and evade detection.
Previously, BlueBravo also used decoy documents to deliver GraphicalNeutrino (SNOWYAMBER) and QUARTERRIG malware loaders, as well as a CobaltStrike Beacon stager called HALFRIG. Unlike GraphicalNeutrino, which used Notion to establish communication with the C2 server, GraphicalProton uses Microsoft OneDrive or Dropbox.
BlueBravo Attack Chain
GraphicalProton is hosted in ISO or ZIP files delivered via phishing emails with car-related decoy documents. The ISO file contains an LNK file disguised as a PNG image of a BMW car that is supposedly for sale.
Sample decoy document for the sale of a car
When you click on an image, the GraphicalProton backdoor is deployed for subsequent operation. It is noted that attackers use Microsoft OneDrive to communicate with the C2 server and receive additional payloads.
In 2020, APT29 was linked to an attack on SolarWinds that targeted government organizations, corporations, and defense contractors in the United States and other countries. The campaign resulted in a leak of confidential information.
Threat researchers from the company Recorded Future report that the BlueBravo group infects diplomatic institutions in Eastern Europe with a new backdoor "GraphicalProton". Activity was observed in the period from March to May 2023.
BlueBravo (APT29, Cloaked Ursa, Midnight Blizzard, Nobelium) has experience using Dropbox, Firebase, Google Drive, Notion, and Trello to establish Command and Control (C2) server communication with infected hosts and evade detection.
Previously, BlueBravo also used decoy documents to deliver GraphicalNeutrino (SNOWYAMBER) and QUARTERRIG malware loaders, as well as a CobaltStrike Beacon stager called HALFRIG. Unlike GraphicalNeutrino, which used Notion to establish communication with the C2 server, GraphicalProton uses Microsoft OneDrive or Dropbox.
BlueBravo Attack Chain
GraphicalProton is hosted in ISO or ZIP files delivered via phishing emails with car-related decoy documents. The ISO file contains an LNK file disguised as a PNG image of a BMW car that is supposedly for sale.
Sample decoy document for the sale of a car
When you click on an image, the GraphicalProton backdoor is deployed for subsequent operation. It is noted that attackers use Microsoft OneDrive to communicate with the C2 server and receive additional payloads.
In 2020, APT29 was linked to an attack on SolarWinds that targeted government organizations, corporations, and defense contractors in the United States and other countries. The campaign resulted in a leak of confidential information.
