Recorded Future finds that BlueBravo hackers utilize Ambassador Lure to spread GraphicalNeutrino malware

Recorded Future’s Insikt Group detailed BlueBravo threat group that overlaps with Russian advanced persistent threat (APT) activity group tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR). BlueBravo hackers used a compromised website containing the text ‘Ambassador`s schedule November 2022’ as part of a lure operation.

“Identified staging infrastructure continues the trend of using compromised websites to deliver BlueBravo malware within archive files. The delivery of these files uses the same HTML smuggling technique as EnvyScout,” Insikt Group wrote in a company blog post on Friday. “The malware also takes advantage of DLL search order hijacking for execution, helping to evade detection on the host.”

Furthermore, a change to Notion as the initial C2 from Trello, Firebase, and Dropbox demonstrates BlueBravo’s broadening but continued use of legitimate Western services to blend their malware traffic to evade detection, the post added. “Though no second-stage malware, follow-on C2 server, or victims were identified, the initial lure page suggests BlueBravo’s targeting was related to unknown embassy staff or an ambassador. Embassy-related information is likely considered high-value intelligence, especially in the midst of the Russian war in Ukraine.”

“Based on the theme of this lure, we suspect that the targets of this campaign are related to embassy staff or an ambassador,” according to Insikt Group. “This targeting profile aligns with previous reporting from InQuest in early 2022 that describes the group, reported as NOBELIUM, employing a lure document titled ‘Ambassador_Absense.docx’ that displayed content relating to the Embassy of Israel.” 

APT29 and NOBELIUM operations have been previously attributed to SVR, an organization responsible for foreign espionage, active measures, and electronic surveillance. 

Following deployment and execution, InQuest reported that the malware, BEATDROP, employed trello[dot]com for command-and-control (C2) in an attempt to evade detection and create challenges in attributing the activity, the post said. “BlueBravo employs a wide range of custom malware and open-source tooling. A notable facet is their evolving malware families and development practices, with implants developed in various languages including Python, Go, PowerShell, and Assembly,” it added.

“In October 2022, we identified BlueBravo staging GraphicalNeutrino malware within a malicious ZIP file. The staging and deployment of this ZIP file overlaps with the previously employed dropper EnvyScout, the use of which is linked to APT29 and NOBELIUM,” according to Insikt Group. “GraphicalNeutrino acts as a loader with basic C2 functionality and implements numerous anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion.”

The post added that it leverages Notion’s API for C2 communications and uses Notion’s database feature to store victim information and stage payloads for download.

The SVR is responsible for foreign espionage, active measures, and electronic surveillance. APT29 has been active since at least 2008 according to third-party reporting, engaging in espionage operations against entities associated with security and defense, politics, and research. APT29 was initially observed surveilling Chechen and dissident organizations, but expanded to target entities in the West, such as the Pentagon in 2015, the Democratic National Committee (DNC) and U.S. think tanks in 2016, and the Norwegian government and several Dutch ministries in 2017.

Based on historical APT29 and SVR cyber operations and active measures, “we assess it is likely that additional countries at the nexus of the conflict are at risk of targeting,” the post said. “This targeting almost certainly represents an ongoing interest from threat actors affiliated with the SVR and aligns with their continued intent to gain access to strategic information from entities and organizations engaged in foreign policy. Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, is at increased risk of targeting,” it added.

“Similar to the use of Trello for data exchange by BEATDROP, we have found that GraphicalNeutrino uses the United States (US)-based, business automation service Notion for its C2. The use of the Notion service by BlueBravo is a continuation of their previous tactics, techniques, and procedures (TTPs), as they have employed multiple online services such as Trello, Firebase, and Dropbox in an attempt to evade detection,” according to Insikt Group. 

The post added that the abuse of legitimate services, such as those employed by BlueBravo, presents a complex issue for network defenders due to the difficulty of defending against malicious access to legitimate services. “The use of this technique is becoming more common and will continue to pose a problem for network defenders.”

Insikt Group said that while “we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine.” 

During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures, as the information potentially gathered from the compromise of entities or individuals receiving such communications is likely to have a direct impact on Russia’s foreign policy and broader Russian strategic decision-making processes, it added.

Insikt Group also said that in 2021, public reporting detailed BlueBravo’s use of various iterations of a phishing campaign emulating government entities. The various campaigns delivered ISO files via methods such as using URLs to download the ISO file and execute an LNK file and using an HTML attachment in the email to initiate the download of an ISO file. The activity was used to deploy NativeZone, an umbrella term for their custom Cobalt Strike loaders. NativeZone typically uses rundll32[dot]exe to load and execute follow-on payload(s).

Last month, Recorded Future said that it continues to track activity attributed to the likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. The activity was identified through a combination of large-scale automated network traffic analytics and expert analysis.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.