Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

Image: Nahel Abdul Hadi (unsplash)

An ongoing campaign targeting foreign affairs ministries of certain Western-aligned countries indicates the involvement of specific threat actors.

The phishing attacks deploy PDF documents with diplomatic lures, some masquerading as originating from European nations, to deliver a variant of malware known as Duke. This malware has several names like BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes.

The threat actor utilized Zulip – an open-source chat application – for command-and-control, camouflaging its operations behind genuine web traffic, as per insights provided by the Dutch tech firm EclecticIQ.

The contamination sequence is specific: An attached PDF, titled “Farewell to Ambassador of a European Country,” harbors embedded JavaScript code, starting a multi-level operation to release the malware.

Previously, APT29’s theme-based invitational tactics were noted by Lab52, outlining an assault mimicking a Scandinavian embassy. This attack delivered a DLL payload capable of contacting an external server to receive more payloads.

The domain “[.]bs” seen in both intrusion instances further emphasizes the connection.

If a prospective victim falls for the trap and opens the PDF, a harmful HTML dropper, Invitation_Farewell_DE_EMB, is initiated, which launches JavaScript that unveils a ZIP archive. This archive contains an HTML Application (HTA) file tailored to introduce the Duke malware.

C&C operations are streamlined using Zulip’s API, transmitting victim specifics to a manipulated chat room (toyy.zulipchat[.]com) and providing remote control over the infiltrated systems.

EclecticIQ discovered an alternate PDF file, possibly utilized by APT29 for exploration or trial purposes.

This file didn’t carry a payload but alerted the threat actor if a victim accessed the email attachment, signaling through an exploited domain edenparkweddings[.]com, as per researchers.

Significantly, the exploitation of Zulip is consistent with the group’s history, known for harnessing various genuine internet utilities like Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello for C2 operations.

APT29’s primary interest lies in government entities, their subcontractors, political groups, research establishments, and critical sectors across the West. Intriguingly, an unidentified competitor has adopted similar strategies to compromise Chinese-speaking users with Cobalt Strike.

This revelation follows after warnings by the Computer Emergency Response Team of a European nation (CERT-UA), cautioning about phishing attacks on their state establishments using a Go-based toolkit named Merlin. The actions are monitored under the label UAC-0154.

Several challenges have been faced, including extensive digital offensives from Sandworm, a renowned hacking consortium. Their primary objective has been to interrupt critical operations and amass intelligence for a strategic edge.

A recent security study highlighted attempts by the threat actor trying to gain unwarranted entry into tablets used by military personnel.

Acquiring devices during confrontations, exhaustive device analyses, and leveraging existing software and access have emerged as primary techniques for initial access and malware spread, the security agency highlighted.

Among the deployed malware are NETD, DROPBEAR, STL, DEBLIND, and the Mirai botnet malware. Also, a TOR hidden service was used for accessing the device remotely over the internet.