Date: 08/07/2024
Severity: Medium
Summary
A Russian threat actor known as Fighting Ursa used a car-for-sale ad to distribute HeadLace backdoor malware, targeting diplomats from as early as March 2024. Fighting Ursa, also known as APT28 or Fancy Bear, is linked to Russian military intelligence and is classified as an advanced persistent threat (APT). This tactic, using diplomatic car ads as phishing lures, has been a recurring theme among Russian threat actors, effectively enticing diplomats to click on malicious links.
Indicators of Compromise (IOC) List
Domain\Urls | https://webhook.site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae https://webhook.site/d290377c-82b5-4765-acb8-454edf6425dd https://i.ibb.co/vVSCr2Z/car-for-sale.jpg |
Hash |
cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e
dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027
6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96
a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domain\Urls | userdomainname like "https://i.ibb.co/vVSCr2Z/car-for-sale.jpg" or url like "https://i.ibb.co/vVSCr2Z/car-for-sale.jpg" or userdomainname like "https://webhook.site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae" or url like "https://webhook.site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae" or userdomainname like "https://webhook.site/d290377c-82b5-4765-acb8-454edf6425dd" or url like "https://webhook.site/d290377c-82b5-4765-acb8-454edf6425dd" |
Hash |
sha256hash IN ("6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96","a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7","cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e","dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027") |
Reference:
https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/