German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
Tags
cmtmf-attack-pattern: Application Layer Protocol Compromise Infrastructure
country: Bahamas Germany Norway Russia
maec-delivery-vectors: Watering Hole
attack-pattern: Data Model Application Layer Protocol - T1437 Chat Messages - T1552.008 Compromise Infrastructure - T1584 Dll Side-Loading - T1574.002 Dynamic Api Resolution - T1027.007 Embedded Payloads - T1027.009 Html Smuggling - T1027.006 Javascript - T1059.007 Malicious File - T1204.002 Malware - T1587.001 Malware - T1588.001 Mshta - T1218.005 Phishing - T1660 Phishing - T1566 Python - T1059.006 Spearphishing Attachment - T1566.001 Spearphishing Attachment - T1598.002 Web Protocols - T1071.001 Web Protocols - T1437.001 Web Services - T1583.006 Web Services - T1584.006 Standard Application Layer Protocol - T1071 Dll Side-Loading - T1073 Mshta - T1170 Scripting - T1064 Signed Binary Proxy Execution - T1218 Spearphishing Attachment - T1193 User Execution - T1204 Scripting Spearphishing Attachment User Execution
Show in Graph
Common Information
Type Value
UUID b1c5869b-e38c-438f-9956-a0fa349609ff
Fingerprint a485a93ba73bc4e2
Analysis status DONE
Considered CTI value 2
Text language
Published Oct. 5, 2023, midnight
Added to db Nov. 6, 2023, 5:32 p.m.
Last updated Nov. 17, 2024, 6:56 p.m.
Headline German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
Title German Embassy Lure: Likely Part of Campaign Against NATO Aligned Ministries of Foreign Affairs
Detected Hints/Tags/Attributes 117/4/43
Source URLs
Redirection Url
Details Source https://blog.eclecticiq.com/german-embassy-lure-likely-part-of-campaign-against-nato-aligned-ministries-of-foreign-affairs
URL Provider
Details Provider Source level domain
Details eclecticiq.com blog.eclecticiq.com
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 32 EclecticIQ Blog https://blog.eclecticiq.com/rss.xml 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 1 
bahamas.gov.bs
Details Domain 2 
sgrhf.org.pk
Details Domain 1 
toyy.zulipchat.com
Details Domain 1 
edenparkweddings.com
Details Domain 49 
eclecticiq.com
Details Domain 32 
lolbas-project.github.io
Details Domain 1 
zulipchat.com
Details Domain 1 
blog-assets.f-secure.com
Details Domain 360 
attack.mitre.org
Details Email 47 
research@eclecticiq.com
Details File 2 
invitation_farewell_de_emb.html
Details File 456 
mshta.exe
Details File 8 
appvisvsubsystems64.dll
Details File 1 
msoev.exe
Details File 8 
mso.dll
Details File 748 
kernel32.dll
Details File 533 
ntdll.dll
Details File 291 
user32.dll
Details File 4 
invitation.pdf
Details File 1 
f-secure_dukes_whitepaper.pdf
Details md5 1 
Fc53c75289309ffb7f65a3513e7519eb
Details md5 2 
50f57a4a4bf2c4b504954a36d48c99e7
Details md5 3 
0be11b4f34ede748892ea49e473d82db
Details md5 2 
5e1389b494edc86e17ff1783ed6b9d37
Details md5 1 
d817f36361f7ac80aba95f98fe5d337d
Details md5 3 
fc53c75289309ffb7f65a3513e7519eb
Details Mandiant Uncategorized Groups 97 
UNC2452
Details MITRE ATT&CK Techniques 310 
T1566.001
Details MITRE ATT&CK Techniques 227 
T1574.002
Details MITRE ATT&CK Techniques 23 
T1027.006
Details MITRE ATT&CK Techniques 40 
T1027.009
Details MITRE ATT&CK Techniques 28 
T1027.007
Details MITRE ATT&CK Techniques 59 
T1218.005
Details MITRE ATT&CK Techniques 442 
T1071.001
Details MITRE ATT&CK Techniques 365 
T1204.002
Details MITRE ATT&CK Techniques 14 
T1584.006
Details Threat Actor Identifier - APT 665 
APT29
Details Url 1 
https://lolbas-project.github.io/lolbas/binaries/mshta
Details Url 1 
https://zulipchat.com
Details Url 1 
https://blog-assets.f-secure.com/wp-content/uploads/2020/03/18122307/f-secure_dukes_whitepaper.pdf
Details Url 11 
https://attack.mitre.org/groups/g0016
Details Yara rule 1 
rule APT29_Duke_Malware_Jul17 {
	meta:
		description = "Detects APT29 Duke malware variant "
		Author = "EclecticIQ Threat Research Team"
		creation_date = "2023-07-30"
		classification = "TLP:WHITE"
		hash1 = "0be11b4f34ede748892ea49e473d82db"
		hash2 = "5e1389b494edc86e17ff1783ed6b9d37"
	strings:
		$x1 = { 48 89 4C 24 08 48 89 54 24 10 4C 89 44 24 18 4C 89 4C 24 20 48 83 EC 64 48 C7 C1 }
		$decryption_routine = { 80 79 ?? 00 48 89 C8 75 ?? 48 89 CA 48 8D 49 ?? 44 0F B6 40 ?? 44 30 02 48 83 C2 01 48 39 CA 75 ?? C6 40 ?? 01 C3 }
	condition:
		uint16(0) == 0x5A4D and $x1 or $decryption_routine and filesize <= 2MB
}
Details Yara rule 1 
rule APT29_Embassy_Invitation_Lure {
	meta:
		description = "Detects APT29 Embassy Invitation Lure"
		Author = "EclecticIQ Threat Research Team"
		creation_date = "2023-07-30"
		classification = "TLP:WHITE"
		hash1 = "fc53c75289309ffb7f65a3513e7519eb"
	strings:
		$pdf_meta1 = { 2F 54 79 70 65 20 2F 45 6D 62 65 64 64 65 64 46 69 6C 65 }
		$pdf_meta2 = "q='+btoa(p)" ascii wide nocase fullword
		$x1 = { 2F 50 72 6F 64 75 63 65 72 20 28 50 79 50 44 46 32 29 }
		$x2 = "Invitation" ascii wide nocase fullword
		$x3 = "embassy" ascii wide nocase fullword
		$x4 = "reception" ascii wide nocase fullword
	condition:
		(uint32(0) == 0x46445025 or uint32(0) == 0x4450250a) and all of ($pdf_meta*) and any of ($x*) and filesize <= 1MB
}