Polish Government Under Massive Cyber Attack From APT 28 Group

Cybersecurity teams in Poland discovered a widespread malware attack that was directed at government institutions. 

Based on technical indicators and resemblance to past attacks against Ukraine, they linked the campaign to APT28, a threat group affiliated with Russia’s GRU military intelligence agency, suggesting a potential targeted espionage or information gathering operation. 

The email campaign employed clickbait tactics, leveraging curiosity and potentially risky behaviour, as the email subject line promised resolution to an unspecified “problem,” followed by a message body targeting Paweł, a presumably Polish male recipient. 

Email

The body introduced a “Ukrainian woman” who recently arrived in Warsaw, operating an “unusual company” selling used underwear, which emphasized the company’s supposed clientele, including “senior authorities in Poland and Ukraine,” before concluding with a hyperlink labelled “ALINA-BOKLAN.” 

A malicious link disguised within a free API testing service (run.mocky.io) redirects the user to another service (webhook.site) that logs queries and configures responses by utilizing commonly trusted platforms to bypass detection and reduce costs. 

Clicking the link downloads a seemingly photo-containing ZIP archive (IMG-*) that hides its executable extension due to default Windows settings, potentially tricking the victim into running malware. 

victim is presented

Attackers employ a DLL side-loading technique through a disguised executable (e.g., IMG-238279780.jpg.exe) masquerading as a harmless image file. 

Upon execution, the disguised program attempts to load a malicious DLL (WindowsCodecs.dll) placed alongside it, which bypasses security measures and executes a hidden batch script, allowing attackers to gain control over the system. 

This malicious batch script disguises itself by launching a Microsoft Edge window displaying a seemingly harmless picture, and in the background, it downloads another script from a website using base64 encoding. 

To evade detection, the downloaded file is saved with a deceptive .jpg extension, which then replaces the extension with .cmd, effectively transforming it into an executable batch file, which is subsequently executed. 

The technique leverages social engineering by presenting irrelevant content to distract the victim while the actual malicious code is downloaded and run. 

Complete attack flow

According to Cert.pl, a batch script is malicious and designed to download and execute further scripts, leveraging VBScript to create a scheduled task that deletes itself after execution. 

The main loop utilizes a for loop to wait for a period, kill Microsoft Edge processes, download a malicious CSS file using a headless Edge instance, change the downloaded file’s extension to CMD, and then execute it. 

The behavior suggests the script is designed to download and execute further modules in a staged fashion, potentially fetching a final payload that collects victim information and transmits it to the attacker-controlled server referenced in the script. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here