Posted on August 18, 2023 at 6:22 PM

Hackers Target Zulip App For Hacking Campaigns Against NATO Countries

Security researchers have detected an ongoing hacking campaign that targeted countries aligned with the North American Treaty Organization (NATO). The hacking campaign targeted the foreign affairs ministries in the two countries. The nature of this hacking campaign points to Russian threat actors that have been targeting Western countries that have allied with Ukraine.

Hackers use the Zulip app for diplomatic phishing campaigns

The phishing campaigns in question featured PDF documents that contained purported diplomatic information. Some of these documents were altered to appear as if they originated from Germany. The documents deploy a malware variant known as Duke.

The Duke malware is attributed to some of Russia’s largest threat actor groups, such as APT29. This hacker group also goes by names like The Dukes, Cloaked Ursa, BlueBravo, Midnight Blizzard, Cozy Bear, and Iron Hemlock.

The phishing campaign was reported by the EclecticIQ cybersecurity company. The Dutch-based firm said the hacking campaign relied on the Zulip chat application. This chat application has command-and-control functions. It evades and hides its malicious activities behind legitimate web traffic.

The hackers ran the campaign using a PDF attachment called “Farewell to Ambassador of Germany.” This PDF file contained an embedded JavaScript code that starts a multi-stage process to create a persistent backdoor on the targeted networks.

If the target opens the compromised PDF file, it will deploy a malicious HTML dropper, “Invitation_Farewell_DE_EMB.” This dropper will be released to run a JavaScript that later drops a ZIP archive file. This file later delivers an HTML Application file created to deploy the Duke malware.

Command-and-control (C2) will be enabled through the Zulip API to send the victim’s details to a chat room controlled by the hackers. The process allows these hackers to run remote commands on the compromised hosts.

EclecticIQ uncovered a second PDF file that APT29 most likely used to run reconnaissance or tests. The second PDF file notified the hacker if the targeted victim opened an email attachment through a notification on a compromised domain known as edenparkweddings[.]com.

Attack attributed to APT29

The techniques used in the hacking campaign mirror what has been previously seen with APT29. The hacking group used invitation themes in the recent campaign, similar to a previous study conducted by Lab52 on an attack impersonating the Norwegian embassy. The hacking attack delivered a DLL payload that could contact a remote server to secure additional payloads.

The recent campaign also used the “bahamas.gov[.]bs” domain in the intrusion sets, linking APT29 to the recent campaigns. Such behavior was reported in past research done by the Anheng Threat Intelligence Center.

The exploit on Zulip also aligns with the behavior of this state-sponsored hacker group to exploit legitimate internet services like Dropbox, Firebase, Google Drive, Microsoft OneDrive, Notion, and Trello.

The hacking group usually targets governments and government subcontractors. Its hacking campaign also targets political organizations, research firms, and critical industries across Europe and the United States.

The Computer Emergency Response Team of Ukraine (CERT-UA) also issued a warning about a new wave of phishing campaigns targeting state organizations in Ukraine. The report noted that the hacking campaigns used a Go-based open-source post-exploitation toolkit called Merlin. This hacking activity is tracked by researchers under the UAC-0154 moniker.

Ukraine has been on the receiving end of hacking exploits since the start of the war. The country faced attacks launched by the Sandworm elite hacking unit linked to Russian military intelligence. The hacking campaign disrupted crucial operations while gathering intelligence on the strategy used by Ukraine’s military.

A recent report published by the Security Service of Ukraine (SBU) noted that Sandworm unsuccessfully tried to secure unauthorized access to Android devices owned by military personnel in Ukraine to plan and perform combat missions.

According to the SBU, “The capture of devices on the battlefield, their detailed examination, and the use of available access, and software became the primary vector for the initial access and malware distribution.”

Some of the malware strains reported in this hacking campaign include NETD to guarantee persistence in the attacks. The DROPBEAR strain was used to secure remote access while the STL strain was used to collect data from Starlink. The Mirai botnet malware was also detected in this hacking campaign, with the TOR hidden service used to access the device.