Research (Insikt)

BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware

Posted: 27th January 2023
By: Insikt Group®
BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware

insikt-group-logo-updated-3-300x48.png

Editor’s Note: This is an excerpt of a full report. To read the entire analysis with endnotes, click here to download the report as a PDF.

Executive Summary

BlueBravo is a threat group tracked by Recorded Future’s Insikt Group that overlaps with the Russian advanced persistent threat (APT) activity tracked as APT29 and NOBELIUM. APT29 and NOBELIUM operations have been previously attributed to Russia’s Foreign Intelligence Service (SVR), an organization responsible for foreign espionage, active measures, and electronic surveillance. In October 2022 we identified BlueBravo staging GraphicalNeutrino malware within a malicious ZIP file. The staging and deployment of this ZIP file overlaps with the previously employed dropper EnvyScout, the use of which is linked to APT29 and NOBELIUM.

BlueBravo used a compromised website containing the text "Ambassador`s schedule November 2022" as part of a lure operation. Based on the theme of this lure, we suspect that the targets of this campaign are related to embassy staff or an ambassador. This targeting profile aligns with previous reporting from InQuest in early 2022 that describes the group, reported as NOBELIUM, employing a lure document titled “Ambassador_Absense.docx” that displayed content relating to the Embassy of Israel. Following deployment and execution, InQuest reported that the malware, BEATDROP, employed trello[.]com for command-and-control (C2) in an attempt to evade detection and create challenges in attributing the activity.

Similar to the use of Trello for data exchange by BEATDROP, we have found that GraphicalNeutrino uses the United States (US)-based, business automation service Notion for its C2. The use of the Notion service by BlueBravo is a continuation of their previous tactics, techniques, and procedures (TTPs), as they have employed multiple online services such as Trello, Firebase, and Dropbox in an attempt to evade detection. The abuse of legitimate services, such as those employed by BlueBravo, presents a complex issue for network defenders due to the difficulty of defending against malicious access to legitimate services. The use of this technique is becoming more common and will continue to pose a problem for network defenders.

GraphicalNeutrino acts as a loader with basic C2 functionality and implements numerous anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion. It leverages Notion’s API for C2 communications and uses Notion’s database feature to store victim information and stage payloads for download.

While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures, as the information potentially gathered from the compromise of entities or individuals receiving such communications is likely to have a direct impact on Russia’s foreign policy and broader Russian strategic decision-making processes.

Based on historical APT29 and SVR cyber operations and active measures, we assess it is likely that additional countries at the nexus of the conflict are at risk of targeting. This targeting almost certainly represents an ongoing interest from threat actors affiliated with the SVR and aligns with their continued intent to gain access to strategic information from entities and organizations engaged in foreign policy. Any country with a nexus to the Ukraine crisis, particularly those with key geopolitical, economic, or military relationships with Russia or Ukraine, are at increased risk of targeting.

Key Judgments

  • We have identified new malware used by BlueBravo, which overlaps with Russian APT activity tracked as APT29 and NOBELIUM, which Western governments and researchers have linked to the Russian Foreign Intelligence Service (SVR).
  • Identified staging infrastructure continues the trend of using compromised websites to deliver BlueBravo malware within archive files. The delivery of these files uses the same HTML smuggling technique as EnvyScout.
  • The malware also takes advantage of DLL search order hijacking for execution, helping to evade detection on the host.
  • A change to Notion as the initial C2 from Trello, Firebase, and Dropbox demonstrates BlueBravo’s broadening but continued use of legitimate Western services to blend their malware traffic to evade detection.
  • Though no second-stage malware, follow-on C2 server, or victims were identified, the initial lure page suggests BlueBravo’s targeting was related to unknown embassy staff or an ambassador.
  • Embassy-related information is likely considered high value intelligence, especially in the midst of the Russian war in Ukraine.

Background

BlueBravo’s targeting, its tactics, techniques, and procedures (TTPs), and its targeting interests and operations overlap with Russian advanced persistent threat activity publicly reported as APT29 and NOBELIUM, which has been previously attributed to Russia’s Foreign Intelligence Service (SVR). The SVR is responsible for foreign espionage, active measures, and electronic surveillance. APT29 has been active since at least 2008 according to third-party reporting, engaging in espionage operations against entities associated with security and defense, politics, and research. APT29 was initially observed surveilling Chechen and dissident organizations but expanded to target entities in the West such as the Pentagon in 2015, the Democratic National Committee (DNC) and US think tanks in 2016, and the Norwegian government and several Dutch ministries in 2017.

In 2021, public reporting detailed BlueBravo’s use of various iterations of a phishing campaign emulating government entities. The various campaigns delivered ISO files via methods such as using URLs to download the ISO file and execute an LNK file, and using an HTML attachment in the email to initiate the download of an ISO file. This activity was used to deploy NativeZone, an umbrella term for their custom Cobalt Strike loaders. NativeZone typically uses rundll32.exe to load and execute follow-on payload(s).

BlueBravo employs a wide range of custom malware and open-source tooling. A notable facet is their evolving malware families and development practices, with implants developed in various languages including Python, Go, PowerShell, and Assembly.

Related