A malware campaign targeting the Ministries of Foreign Affairs of NATO-aligned countries was recently discovered, which used PDF files masquerading as a German Embassy email. One of the PDF files consists of Duke malware which was previously linked with a Russian-state-sponsored cyber espionage group, APT29.
APT29 was attributed to Russia’s Foreign Intelligence Service (SVR) and uses Zulip, an open-source chat application for command and control. This evades and hides the malicious network traffic behind legitimate traffic.
PDF with HTML Smuggling
Further investigations revealed that these two PDF files that are received through email consist of an invitation lure that targets diplomatic entities. The themes used for these documents have contents related to “Farewell to Ambassador of Germany” and “Day of German Unity”.
Through HTML Smuggling, a malicious HTML application file (HTA) is received which is a widely used LOLBIN (Living Off the Land BINary). This HTA file acts as a standalone malware application which gets executed by the Windows HTA engine mshta.exe. This execution delivers the Duke malware variant.
The other PDF document does not contain any malicious contents, instead, it sends a notification to the threat actor whether the attachment was opened.
DLL Sideloading Abused to Execute Duke Variant Malware
The HTA file drops three executables on the directory C:\Windows\Tasks for DLL sideloading. The three files include
- AppVIsvSubsystems64.dll – This is a library loaded into msoev.exe for performing the execution without any failure.
- Mso.dll – This is the Duke malware variant that is loaded into the msoev.exe through DLL Sideloading.
- Msoev.exe – This is a signed Windows binary that automatically loads mso.dll and AppVIsvSubsystems64.dll when executed.
A complete report has been published, which provides detailed information on the malware campaign and the activities carried out.
Indicators of Compromise
Duke Malware Variant:
MITRE ATT&CK Techniques
Spearphishing Attachment - T1566.001
DLL Side-Loading - T1574.002
HTML Smuggling - T1027.006
Embedded Payloads - T1027.009
Dynamic API Resolution - T1027.007
System Binary Proxy Execution: Mshta - T1218.005
Application Layer Protocol: Web Protocols - T1071.001
User Execution: Malicious File - T1204.002
Compromise Infrastructure: Web Services - T1584.006