Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware

A prolific Russian threat actor known as Fighting Ursa is targeting diplomats through a used-car sale email scheme that then distributes HeadLace backdoor malware.

The gambit involves downloading a .zip file supposedly containing car images of an Audi Q7 Quattro SUV that's been outfitted for diplomatic use; but in fact, the files are executables whose .exe extensions are hidden by default in Microsoft Windows.

The photos of the vehicle are accompanied by a Romanian phone number and a contact at the Southeast European Law Enforcement Center to lend the ad additional credibility.

Fighting Ursa (aka APT28, Fancy Bear, and Sofacy) has adopted the tactic from other Russian threat actors, according to a report on the attack published by Palo Alto Networks' Unit 42.

In July 2023, Unit42 reported on the Russian threat actor Cloaked Ursa, which was using a similar lure — that time a used BMW sedan in Kyiv — to target diplomats working at embassies in Ukraine.

"These lures tend to resonate with diplomats and get targets to click on the malicious content," the blog post noted.

"Audi" Cyberattack Routine Drives Espionage

The attack chain begins with the use of the legitimate, free service known as "webhook" to host a malicious HTML page — a tactic that Unit 42 noted is often associated with APT28.

This page then determines if the target machine is running Windows. If it is, a .zip archive is offered for download. If the system is not Windows-based, the user is redirected to a decoy image.

Inside the .zip archive are three files: a Windows calculator executable disguised as an image file, a malicious dynamic link library (DLL), and a batch script.

The calculator executable is used to load the malicious DLL, which then runs the batch script.

The batch script then executes a command to retrieve a file from another webhook site URL, saves it in the downloads folder, renames it for execution, and then deletes it afterward to cover the attack’s tracks. That file contains the HeadLace backdoor, which establishes persistent access to a victim's machine in order to set the stage for follow-on data theft, reconnaissance, and surveillance activities.

"While the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services [like webhook]," a Unit 42 post explained. "Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor."

Disabling Hide File Extension Options

Roger Grimes, data-driven defense evangelist at KnowBe4, explains that for nearly as long as Windows has been around, it has automatically hidden the file extension of dozens of commonly used files, such as .exe, .scr, .dll, etc.

"This allows an attacker to create a file — for example, 'carphotos.jpg.exe' — that appears to most Windows users as carphotos.jpg," he explains.

For the real file extension not to be hidden, a user must intentionally disable the "hide file extensions" option in Windows, often having to do so in multiple places.

"Why Microsoft continues to allow hiding file extensions to be the default setting for decades is beyond me, as it is responsible for many tens of millions of exploitations," Grimes says. "It's far past the time for Microsoft to disable this dangerous default."

Microsoft did not immediately respond to a request for comment.

Fighting Ursa: A Very Active Russian Cyber-Threat Actor

The hacking group, which most researchers track as APT28, has a long and infamous history as the perpetrators of US election interference in 2016, the NotPetya attacks, the Olympic Destroyer effort, and other high-profile cyber offensives.

More recently, it has targeted Ukrainian government bodies with spear-phishing emails posing as Windows Update guides to trick recipients into executing malicious PowerShell commands.

And in 2022, it disseminated a malicious document exploiting the now-patched CVE-2022-30190 flaw through phishing emails to Ukrainian users. The document, titled “Nuclear Terrorism: A Very Real Threat.rtf,” aimed to exploit concerns about the war in Ukraine escalating into a nuclear disaster.

The threat group has also targeted Ukraine's energy infrastructure, and recently built GooseEgg, a custom tool used to exploit CVE-2022-38028 in attacks directed toward Ukraine, Western Europe, and North America.