Russian state-sponsored hacking group APT29, also known as Cozy Bear and Nobelium, has been linked to the widespread ongoing cyberespionage campaign against countries part of NATO and the European Union by Poland's Military Counterintelligence Service and its Computer Emergency Response Team, BleepingComputer reports.
Diplomatic entities and foreign ministries across the EU have been targeted by spear-phishing emails spoofing European embassies, according to the joint advisory. Such emails include malicious attachments that facilitated the spread of the EnvyScout dropper that then allowed the deployment of the QUARTERRIG and SNOWYAMBER malware downloaders and the Cobalt Strike Beacon stager HALFRIG.
"If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL. HALFRIG, on the other hand, works as a so-called loader it contains the COBALT STRIKE payload and runs it automatically," said a separate malware analysis report. APT29 was previously reported to have targeted NATO countries' Microsoft 365 accounts for phishing attacks.
Impacted by different levels of log disruption were Microsoft Entra, Microsoft Sentinel, Azure Logic Apps, Azure Monitor, Azure Healthcare APIs, Azure Trusted Signing, Azure Virtual Desktop, and Power Platform, according to Microsoft.
Attacks involved the display of fraudulent Google Meet popup alerts, which would download the StealC or Rhadamanthys infostealers for Windows users and the AMOS Stealer payload for macOS users, according to a Sekoia analysis.
Malicious spear-phishing messages have been leveraged by RomCom to distribute the MeltingClaw or RustyClaw downloaders for the ShadyHammock and DustyHammock backdoors, respectively, with the latter facilitating the delivery of the SingleCamper trojan.