NYSIC CAU Pass-Through: Unit 42 Malware Threat Alert – (TLP CLEAR) Fighting Ursa Luring Targets With Car for Sale

From: cau@nysic.ny.gov
Date: August 2, 2024 at 2:15:41 PM EDT
To: Seb Formoso <Seb.Formoso@cuny.edu>
Subject: NYSIC CAU Pass-Through: Unit 42 Malware Threat Alert –  (TLP CLEAR) Fighting Ursa Luring Targets With Car for Sale

* This email originates from a sender outside of CUNY. Verify the sender before replying or clicking on links and attachments. *

 TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.

Summary: APT 28 aka Fancy Bear, but referred to as a “Fighting Ursa” by Unit 42 researchers, is releasing their unique malware “Headlace” via advertisements for used diplomatic cars for sale. This is the latest evolution of a successful attack vector of repackaging different versions of phishing lures embedded in targeted delivery methods leveraging public hosted services.

NYSIC CAU Analyst Note: APT28 and APT29 (Cozy Bear aka Cloaked Ursa) have both leveraged Phishing Lures designed to impact government entities in eastern Europe and NATO nations. Novel lures have included diplomatic luxury cars for sale, memorandums and press releases on the Israel-Hamas conflict, and authorizations of funding related to the Haitian earthquake. Russian APT’s use real documents before embedding the Headlace malware into the file to increase the fidelity of the lure. Geolocation perimeters within previous Headlace campaigns limited infections to United Nations Human Rights Council Member states. The evolution of the lures make clicking on open source links to relevant materials for government business risky. A trusted third party has published a Yara rule related to the Malware Headlace, bypassing the delivery Phishing Lure and directly preventing infection.

Indicators of Compromise: Indicators of Compromise (IOCs) related to this Malware Threat Alert located below can aid in network defense. Please ensure this information is communicated to the appropriate technical personnel within your agency. For your convenience, the attached yara rule file contains an embedded copy of itself to copy and paste, and the hash values and IP addresses retrieved from a trusted third party are listed below. The full document from Unit 42 is attached.

 

Hash Values:

a0a67412968c10224e04bfbe32e6012b34e4a4ecc36fc72332101b90acec8fa4

d5eb88c1fe88e274a9212ff6647e8220f1bfbc250e0e891f60ea8a28afc9b19c

8cc664ff412fc80485d0af61fb0617f818d37776e5a06b799f74fe0179b31768

2f498a25049f89a809550a11e379912ac053eba881470ddd3a4e2b487a31c2d0

d9be3235d7236ff66c871d4070b98fd0fe46319d0ef04047c1ab4e8c7254d8a5

07c06492d3252236579097d5b114bbbea2173255b017fb26df7217ea986d6d10

54a27464c7ad7f2e32cd123b27c0f9082590cd5ba48526bf00728e8107048f48

bbe435a3f0adb1ef4810d22ed74f5eba8907201cba01230b8c98dbe5963e11a8

d712744a128b22a0919ecde2508bbfeffa33a61870a941c424e8b301183c44fe

555eafd28474cf01b5eea4648ec6b417d08d17aba151c5592c8843672812cffa

6c0658ac52ca6eb315ab8b6b702a9e24d02d58f24d6d6feb55716b0c05252e51

8dba6356fdb0e89db9b4dad10fdf3ba37e92ae42d55e7bb8f76b3d10cd7a780c

0a5109479620c4c567928680f8e4be685a74e4b31efaa98811f3b54992697e2d

12d98b5c513fe9668661e3fdabb93f595a82a81554f28fbd84658de0aab2a929

f70c4f5f417b7360a9edb493ac2bc982bc59a18eee064825c859ad889b0be167

7ec80bd3469656f3d8d406a64097d2f0b2bbd1fd0e49f260ae7b28524470c0fe

763d47f16a230f7c2d8c135b30535a52d66a1ed210596333ca1c3890d72e6efc

b0604f58c55fdba4c4381e411689b29c031dbce3fb16c656a6b5fadb578deb76

2f1c2afdf17831e744841029bb5d5a3ea9fda569958303be03e50fb3a764913f

f9f8ca7fa979766c168d7162df572f3549c7af2e707e5a5ac8e06bd352bb7399

 

IP Addresses:

3[.]80[.]9[.]137

37[.]191[.]122[.]186

174[.]53[.]242[.]108

68[.]76[.]150[.]97

73[.]80[.]9[.]137

 

Any New York State Government Non-Executive Agency as well as critical infrastructure partners may contact the New York State Division of Homeland Security and Emergency Services Cyber Incident Response Team (DHSES CIRT) for assistance if suspicious activity is detected in their environment: 1-844-OCT-CIRT (1-844-628-2478).

Author: Unit 42 Palo Alto Networks

This information has been disseminated to:

NYSIC CAU Contacts – OCT-CIP
NYSIC CAU Contacts – ITS EISO
NYSIC CAU Contacts – DHSES CIRT
NYSIC CAU Contacts – County ISOs
NYSIC CAU Contacts – CPWG
NYSIC CAU Contacts – SLTT
NYSIC CAU Contacts – Critical Infrastructure (All)

For more information, please contact the NYSIC Cyber Analysis Unit at (518) 786-2191 or CAU@nysic.ny.gov.

NYSIC CAU DISCLAIMER: These reports are provided “as is” for informational purposes only. The New York State Intelligence Center (NYSIC) does not provide any warranties of any kind regarding any information contained within. The NYSIC does not endorse any commercial product or service, referenced in these reports or otherwise. Further dissemination of these reports are governed by the following:

TLP: CLEAR
Recipients can spread this to the world, there is no limit on disclosure. Sources may use TLP:CLEAR when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:CLEAR information may be shared without restriction.

 

---

CONFIDENTIALITY NOTICE: This e-mail, including any attachments, may contain highly sensitive and confidential information. It is intended only for the individual(s) named. If you received this e-mail in error or from someone who was not authorized to send it to you, do not disseminate, copy or otherwise use this e-mail or its attachments. Please notify the sender immediately by reply e-mail and delete the e-mail from your system.

Access the CIO-LIST Home Page and Archives

Unsubscribe from the CIO-LIST List