Cyber Security Threat Summary:
The Russian nation-state actor known as BlueBravo has been observed targeting diplomatic entities throughout Eastern Europe with the goal of delivering a new backdoor called GraphicalProton, exemplifying the continuous evolution of the threat. The phishing campaign is characterized by the use of legitimate internet services (LIS) for command-and-control (C2) obfuscation, Recorded Future said in a new report published Thursday. The activity was observed between March and May 2023. BlueBravo, also known by the names APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia's Foreign Intelligence Service (SVR), and has in the past used Dropbox, Firebase, Google Drive, Notion, and Trello to evade detection and stealthily establish communications with infected hosts. To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations after GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG.

For its part, GraphicalProton is a loader malware designed to deploy second-stage payloads such as Cobalt Strike and Brute Ratel. In the latest campaign observed, the infection starts off with a spear phishing email that redirects recipients to compromised websites designed to auto-download malicious ZIP/ISO files on the victim’s systems. Researchers say that these files contain .LNK files masquerading as .PNG images of a BMW car that is purportedly on sale. If clicked, this leads to the deployment of GaphicalProton.

Security Officer Comments:


BlueBravo has a history of using a variety of legitimate internet services for command and control communications. Unlike GraphicalNeutrino which used Notion for C2, the latest malware, GraphicalProton, employs Microsoft OneDrive to store and retrieve additional payloads. With third-party services enabling BlueBravo to evade detections and go unnoticed for long periods of time, researchers recommend network defenders to “be aware of the possibility of the misuse of these services within their enterprise and to recognize instances in which they may be used in similar efforts to exfiltrate information.”

Suggested Correction(s):
With BlueBravo using spear-phishing emails for the initial infection vector, its imperative that users adhere to the following recommendations:

• Do not open emails or download software from untrusted sources
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Backup important files frequently and store them separately from the main system
• Protect devices using antivirus, anti-spam and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately