The Russian nation-state actor, BlueBravo, has been engaging in cyber espionage against diplomatic entities in Eastern Europe, employing a new backdoor named GraphicalProton.
Recorded Future’s report highlights the phishing campaign’s use of legitimate internet services (LIS) for command-and-control obfuscation, observed between March and May 2023. BlueBravo, also known as APT29, has previously evaded detection using services such as Dropbox, Firebase, Google Drive, Notion, and Trello to establish covert communications with compromised hosts.
GraphicalProton is the latest addition to BlueBravo’s arsenal of malware targeting diplomatic organizations, following GraphicalNeutrino, HALFRIG, and QUARTERRIG. In contrast to GraphicalNeutrino’s use of Notion, GraphicalProton employs Microsoft’s OneDrive or Dropbox for communication, demonstrating the group’s efforts to diversify and expand its tools for strategic targeting.
BlueBravo seems to prioritize cyber espionage against European government sector entities, potentially due to Russia’s interest in gathering strategic data during and after the war in Ukraine. The new malware strain functions as a loader and is delivered via phishing emails with vehicle-themed lures, similar to an intrusion set reported by Palo Alto Networks Unit 42 earlier.
The ISO files in these emails contain .LNK files posing as .PNG images of a BMW car for sale, leading to the deployment of GraphicalProton when clicked. The malware utilizes Microsoft OneDrive as a command-and-control service, periodically polling a designated folder for additional payloads.
Researchers emphasize the importance of network defenders recognizing the potential misuse of legitimate services within their enterprise to prevent data exfiltration attempts.
Concurrently, the Computer Emergency Response Team of Ukraine (CERT-UA) warns of ongoing phishing attacks by the UAC-0006 group, intensifying efforts to persuade users into installing the SmokeLoader backdoor. As BlueBravo continues to evolve its tactics, cybersecurity measures remain crucial in safeguarding against such state-sponsored threats.
