QUARTERRIG

For communication, the payload uses both the Microsoft Graph and Dropbox API... Cloaked Ursa has previously leveraged Dropbox as a C2 server... past reports describing C2 communication via Notion and Google Drive.

Their initial access attempts over the past two years have predominantly used phishing lures with a theme of diplomatic operations... Cloaked Ursa emailed their illegitimate version of this flyer to multiple diplomatic missions throughout Kyiv. These illegitimate flyers use benign Microsoft Word documents of the same name.

ISO and IMG disk images, on Windows computers, are automatically mounted in the file system when opened... The actor used various techniques to get the user to launch the malware.

One of them was a Windows shortcut (LNK) file pretending to be a document but actually running a hidden DLL library with the actor's tools.

The shellcode is then injected into the first two active Windows processes that it can inject into, such as taskhost.exe or sihost.exe... Command Value 0 Inject shellcode into explorer.exe or smartscreen.exe... 4 Spawn and inject code into WerFault.exe.

One of them was a Windows shortcut (LNK) file pretending to be a document but actually running a hidden DLL library with the actor's tools.

The final payload contains a large array of obfuscation techniques, including string encryption and junk functions, as well as modifying exception handling structures... This results in a mangled control flow graph and failed decompilation.

The shellcode is then injected into the first two active Windows processes that it can inject into, such as taskhost.exe or sihost.exe... Command Value 0 Inject shellcode into explorer.exe or smartscreen.exe... 4 Spawn and inject code into WerFault.exe.

Once read into memory, it will decrypt the file using an XOR operation, which results in a secondary shellcode layer.

Both tools sent the IP address as well as the computer and user name to the actor. They were used to assess whether the victim was of interest to the actor and whether it was a malware analysis environment.

Both tools sent the IP address as well as the computer and user name to the actor. They were used to assess whether the victim was of interest to the actor and whether it was a malware analysis environment.

Campaigns observed in the past linked to “NOBELIUM” and “APT29” used .ZIP or .ISO files to deliver the malware. During the campaign described above, .IMG files were also used in addition to the aforementioned file formats.

For communication, the payload uses both the Microsoft Graph and Dropbox API... If communication fails via the Graph API several times, communication via Dropbox is attempted.

If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL.

Previously, Cloaked Ursa-linked payloads that communicate with Dropbox had wrapped communications in a packet that resembled an MP3 file... In this sample, it appears that they have opted to use BMP files. The threat actor-owned C2 will upload commands to Dropbox that are wrapped in the BMP format.