As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign.

X-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing overlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard.

The contents of each lure contain themes relevant to a unique audience interested in research and policy creation. The nature of the lures suggests activity is directed at entities with direct influence on the allocation of humanitarian aid, primarily those based in Europe. Our discovery includes multiple legitimate documents associated with finance, think tanks, educational organizations and government and nongovernment organizations (NGOs) leveraged as lure materials. These files are featured in larger infection chains associated with the delivery of the ITG05 exclusive Headlace backdoor capable of facilitating multiple malicious actions on objectives.

It is unclear precisely how many entities were impacted by the campaign, but our analysis indicates that organizations in the following countries were targeted: Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia and Romania. Of note, all but one of the 13 nations featured in the geolocations perimeters for downloading Headlace are United Nations Human Rights Council members.

It is highly likely the compromise of any echelon of global foreign policy centers may aid officials’ interests with advanced insight into critical dynamics surrounding the International Community’s (IC) approach to competing priorities for security and humanitarian assistance.

Key Findings

• This is the first known use of the Israel-Hamas conflict by ITG05 to conduct campaigns delivering the exclusive Headlace backdoor.
• The campaign leverages documents associated with the United Nations, the Bank of Israel, the United States Congressional Research Service, the European Parliament, a Ukrainian think tank and an Azerbaijan-Belarus Intergovernmental Commission.
• X-Force observed the deployment of Headlace and secondary payloads to be specifically targeted toward at least 13 nations.
• Some of the uncovered lures are contained in a .RAR archive exploiting the CVE-2023-38831 vulnerability, others use DLL-hijacking to run Headlace.
• Headlace is a multi-component malware including a dropper, a VBS launcher and a backdoor using MSEdge in headless mode to continuously download secondary payloads, likely to exfiltrate credentials and sensitive information.

Background

In early September 2023, CERT-UA reported APT28 was attempting to use new malware named Headlace to access a critical energy infrastructure entity in Ukraine. This involved APT28 using the Mockbin and Mocky API websites to stage malicious archives retrieved by Javascript droppers. In late September 2023, Zscaler published a similar campaign targeting the theft of NTLM hashes from victims in Poland, Austria and Belgium by using adult-themed lures and the Mockbin API for data extraction.

In late 2023, X-Force uncovered eight lure documents created between early August and early December 2023 likely leveraged in phishing campaigns crafted to ultimately distribute ITG05’s Headlace backdoor. X-Force research confirmed the majority of the files are directly derived from publicly available official documents created by the Bank of Israel, the U.S. Congressional Research Service, the United Nations, the European Parliament, the French digital education service Cahier de Prépa and the Ukraine-based Razumkov Centre think tank.

The remaining lures appear to be internal documents belonging to, or associated with, what appears to be legal amendments to a Turkish manual regarding technical installations, and interstate agreements facilitated by the Joint Intergovernmental Commission between the Republic of Azerbaijan and the Republic of Belarus on Economic Cooperation. Of note, the majority of the lure documents contents feature news, updates or information regarding developments in Ukraine and the Levant.

The use of official documents as lure material is a departure from previously observed ITG05 activity featuring the delivery of the Headlace backdoor, which featured adult-themed material to engender victim engagement. This change in lure content may be indicative of ITG05’s increased emphasis on a unique target audience whose interests would prompt interaction with material impacting emerging policy creation. State-sponsored cyber capabilities will likely continue to be leveraged to furnish domestic decision-makers with exclusive access to the political resolve and resource priorities of the IC and individual states.

Analysis: From decoy documents to phishing lures

Previously, ITG05 operations featuring the Headlace backdoor were preceded by numerous decoy documents featuring adult themes. However, during the past month, X-Force observed a change in tactic with the threat actor instead also using the decoys as lures to trick users into accessing the attachments. The majority of the uncovered lures feature English-language text except for a Turkish language and a single Russian-language document. The text of each of the decoys contains themes that would likely not appear as alerting to a unique audience interested in research and policy creation. The following is a selection of uncovered lure documents used in conjunction with Headlace:

Example lure 1: Letter of invitation to the expert discussion on the Razumkov Centre

The earliest uncovered lure document titled “Letter of invitation to the expert discussion on the Razumkov Centre,” dates from early September 2023 and was first reported by Google TAG. It leverages a publicly available document uploaded one day preceding the presentation of the legitimate event hosted by the Razumkov Centre in partnership with the United States Agency for International Development (USAID) under the auspices of the USAID/ENGAGE pact. The invitation presents the findings of the paper “War of Attrition: Comparison of Potentials and Assessment of Prospects” on current results of the conflict in Ukraine, combat potentials and policy approaches for avoiding stalemate. The campaign is directed at Romania-based targets based on the geolocation of the targeted download.

Fig. 1: Lure document “Letter of invitation to the expert discussion on the Razumkov Centre”

Notably, this lure was contained in a .RAR archive exploiting CVE-2023-38831. If opened with WinRAR versions below 6.23, the exploit causes Headlace to silently execute if a user tries to open the benign PDF file.

Example lure 2: SEDE-PV-2023-10-09-1_EN.docx

Uploaded in mid-October 2023, the lure document titled “SEDE-PV-2023-10-09-1_EN.docx” features the publicly available  Minutes of the 9 October 2023 meeting of the Subcommittee on Security and Defence of the European Parliament. Included in the adopted agenda is the question of “The security situation after the attack by Hamas against Israel, exchange of views with the EU’s Police Mission for the Palestinian Territories (EUPOLCOPPS) and the EU’s Border Assistance Mission in Rafah (EUBAM Rafah).”

Fig. 2: Lure document “SEDE-PV-2023-10-09-1_EN.docx”

Example lure 3: war.docx

Uploaded in early November 2023, the document titled “war.docx” features an authentic copy of the publicly available Advance Unedited Version of the “Report of the Special Committee to Investigate Israeli Practices Affecting the Human Rights of the Palestinian People and Other Arabs of the Occupied Territories” presented at the seventy-eighth session of the General Assembly of the United Nations. The contents feature policy questions and historical context related to the Levant between September 2022 to September 2023, preceding the surprise October 2023 attacks.

Fig. 3: Lure document “war.docx”

Example lure 4: Roadmap.docx

In mid-November 2023, a 15-page document titled “roadmap” was uploaded by multiple Azerbaijan-based users featuring what appears to be the internal mark-up version of a proposed “Roadmap on the development of cooperation between the Republic of Belarus and the Republic of Azerbaijan until 2025” associated with the Joint Intergovernmental Commission between the Republic of Azerbaijan and the Republic of Belarus on Economic Cooperation. The document features two lines for signatures of approval by the respective state ministers, followed by a fillable date pre-populated with the year 2023. The document appears to be authentic given the metadata associated with user modifications.

Fig. 4: Lure document “Roadmap.docx”

Example lure 5: 2023-12-bois-position-on-accessing-capital-pr.docx

Fig. 5: Lure document “2023-12-bois-position-on-accessing-capital-pr.docx”

In early December 2023, X-Force uncovered an ITG05 lure leveraging the authentic 5 December 2023 press release published by the Bank of Israel. The document titled 2023-12-bois-position-on-accessing-capital-pr.docx details the “Main Points of the Bank of Israel’s Position Presented to the Knesset Economics Committee Regarding Nonbank Entities Accessing Sources of Capital to Expand their Provision of Loans Due to the War.”

Example lure 6:  IN11897.pdf

Fig. 6: Lure document “IN11897.pdf”

In early December 2023, X-Force uncovered the ITG05 lure titled IN11897.pdf, which leverages the 20 November 2023 CRS update on “Russia’s War Against Ukraine: European Union Responses and U.S.-EU Relations.” The publicly available document features key updates informing policymakers regarding the War in Ukraine distributed by the public policy research institute of the United States Congress.

Infection chain

The following represents X-Force’s detailed analysis of the multiple infection chains associated with the lures above, ultimately delivering Headlace malware.

Fig. 7: Headlace full infection graph

The diagram above is a high-level depiction of the Headlace infection flow. A deep dive into the different components impacting delivery including the abuse of commercial hosting services, multi-stage malware, exploitation, and command and control are explored in the following sections.

Abusing commercial hosting services

In September 2023, CERT-UA reported spear phishing emails containing URLs that led recipients to malicious archives hosted on abused, publicly available, commercial infrastructure; like the Mocky and Mockbin APIs and the Infinityfreeapp service.

In early campaigns, the threat actors used the Mockbin service to deliver malicious ZIP files containing decoy images, as well as a .CMD file which was identified as Headlace malware.

Example URLs:

Later, in late October through November 2023, X-Force observed a second legitimate service “infinityfreeapp.com” used to host malicious payloads.

In the same timeframe, CERT-FR reported malicious activity by APT28 that included the use of Mocky, Mockbin and infinityfreeapp services in attacks targeting French government systems.

The threat actor created several subdomains over the course of the campaigns. The phishing URL would contain a unique hardcoded URL parameter “id”. This ID is necessary to be able to download the lure archive as well as Headlace’s secondary payloads and likely allows ITG05 to track infections through all stages. Once a victim visits the URL and passes the browser check, the site redirects to its filedwn.php script using the same “id” parameter. This causes the download of a ZIP file, again containing the Headlace payload. Instead of the Mocky service, the Headlace backdoor uses the hardcoded id parameter to download the next payload via a URL calling the hosted execdwn.php file.

Example URLs:

Browser checker

Before payloads are downloaded from the legitimate staging services, a Javascript-based browser enumeration script verifies the user agent and in some cases the geolocation of the victim. Different versions of the script are used up to three times within a single infection. Infections start with the phishing URL, which redirects to the first download site after a first check. There, the second check takes place, which involves a user agent and geolocation check via the “https://ipapi[.]co/json“ service (see screenshot below). After a successful lure download, the victim is redirected to www.msn.com.

Fig. 8: Browser enumeration script verifying a geolocation in Germany, before dropping an archive payload

As visible in the screenshot above, the browser script drops one of two different payloads, depending on the result of the location check. Should the request originate from a different country other than the one targeted, ITG05 will drop a non-weaponized version of the archive. This version would only contain the benign lure. In the case of the campaign above, it contains a .CMD file only faking a Windows update, but without installing the malicious Headlace backdoor.

This campaign was active from late September until the end of November, targeting Kazakhstan, Hungary, Germany, Saudi Arabia, Ukraine and Azerbaijan. Later campaigns using policy-themed lures employed the same technique of dropping only benign lures should any of the checks fail.

After the successful execution of the Headlace dropper, the backdoor uses a second download site to stage secondary payloads. These are downloaded in MS Edge headless mode, so the corresponding browser scripts check if the user agent contains the string “edge”. Often the second download site performs another geolocation check:

Fig. 9: Browser enumeration script verifying geolocation in Turkey before dropping a payload disguised as a .CSS file

X-Force observed large numbers of browser enumeration scripts specifically targeting the following countries:

• Hungary
• Türkiye
• Australia 
• Poland 
• Belgium 
• Ukraine
• Germany
• Azerbaijan
• Saudi Arabia
• Kazakhstan
• Italy
• Latvia
• Romania

Later variants of the enumeration and verification scripts are likely implemented server-side with a specific hardcoded ID, which is provided in the first phishing URL and is required during all later stages as a URL parameter.

Headlace

X-Force observed three possible execution chains implemented by ITG05 for executing the Headlace malware:

Execution via WinRAR vulnerability

In this chain, a victim is targeted via the CVE-2023-38831 WinRAR vulnerability. If the victim has a vulnerable WinRAR application and opens the archive, the lure document is presented while the Headlace dropper is executed in the background.

Execution via DLL hijacking

The DLL-hijacking chain involves delivering a legitimate Microsoft Calc.exe binary that is susceptible to DLL-hijacking. This involves the victim clicking on Calc.exe to load a malicious DLL that is packaged alongside Calc in the malicious archive. The DLL then executes the Headlace CMD dropper file. In order to trick victims into running the executable, Calc.exe is renamed and contains whitespace padding before its extension, which may prevent users from spotting the suspicious .EXE extension.

Direct Execution

In this chain, the threat actor directs the victim to execute the Headlace CMD dropper directly by disguising it as a Windows update script and reporting fake update status messages in the console.

Headlace is a new backdoor discovered by CERT-UA in September 2023. It consists of three components: a .CMD dropper, a .VBS launcher and a .BAT backdoor. The initial dropper starts by writing both other components into the %PROGRAMDATA% directory. It then runs the .VBS launcher and after a short timeout it displays the lure as a decoy and deletes its traces from the directory it was started in.

Fig. 10: Headlace dropper script

The .VBS launcher uses the Wscript.Shell object to execute the .BAT file, which acts as a backdoor. In regular intervals, it runs msedge in headless mode to download another payload from a hardcoded URL, execute it and subsequently delete it:

Fig. 11: Headlace backdoor script

During the last campaign, X-Force observed a new infection chain leading to Headlace. The malicious ZIP file would contain several hidden files and only one visible executable, with a long whitespace-padded filename, in order to hide the extension. The binary is a copy of the legitimate calc.exe, which is vulnerable to DLL hijacking. Once executed, it searches the current directory for WindowsCodecs.dll, one of the hidden files, and loads it. The DLL’s main function was overwritten to execute the hidden .CMD file that is the Headlace payload. By using indirect execution, the malicious activity is more difficult to detect.

Another variant of Headlace would disguise itself as a Windows update. When launching the script, right after dropping and launching its malicious components, Headlace would print out fake status messages at regular intervals, imitating an update mechanism to an untrained user.

Fig. 12: Headlace dropper faking a Windows update

Actions on objective

According to observations of CERT-UA, once a foothold has been established on the system, several follow-up payloads are used to capture NTLM credentials or SMB hashes of user accounts and attempt to exfiltrate them via the TOR network. X-Force has observed variants of Nishang’s “Start-CaptureServer.ps1” script, which were modified to exfiltrate credentials through Mockbin. This activity was also reported on by Zscaler in the “Steal-It” campaign. In addition, ITG05 is also known to leverage custom exfiltration tools such as Graphite and Credomap.

Conclusion

X-Force assesses with high confidence that ITG05 will continue to leverage attacks against diplomatic and academic centers to provide the adversary with advanced insight into emergent policy decisions. Given recent operations, ITG05 remains adaptable to changes in opportunity within the cyber threat landscape by exploiting public CVEs and leveraging commercially available infrastructure.

Recommendations

X-Force recommends all individuals and entities engaged in or informing policy creation to remain in a heightened state of defensive security and to:

• Stay abreast of newly published exploits likely to be used by APT actors.
• Hunt for regularly spawned processes containing “msedge –headless-new –disable-gpu”.
• Hunt for headless MS Edge processes downloading .CSS files.
• Monitor for downloaded archives containing .CMD files.
• Monitor for DLL hijacking via modified WindowsCodecs.dll files.
• Monitor for filenames containing an unusually large number of consecutive whitespaces.
• Monitor network traffic for unusual or unsanctioned commercial service use.
• Monitor for suspicious use of browsers in headless mode.
• Install and configure endpoint security software.
• Update relevant network security monitoring rules.
• Educate staff on the potential threats to the organization.

Indicators of Compromise

MD5, SHA1, SHA256, File Path, File Name, Command, Registry Key, Registry Value, Scheduled Task, Service Name

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.