Fake Car Ads Conceal APT28’s HeadLace Malware Attack

The hacker group APT28 recently launched a new campaign to distribute the HeadLace malware through a fake car sale advertisement. The campaign began in March 2024 and is likely targeting diplomats.

This tactic is not new to cybercriminals. For several years, they have been using fake luxury car sale ads to attract victims’ attention and inject malicious code.

According to Unit 42 specialists, the latest campaign associated with APT28 utilized public and free services to host malicious files and links. A suspicious link was placed on the legitimate service Webhook[.]site, which allows the creation of randomized URLs for various purposes. This functionality was exploited by the hackers to distribute a malicious HTML document.

When the link is visited, algorithms on the page check if the computer is running the Windows operating system. If it is not, the user is redirected to a fake image hosted on the free service ImgBB. However, if the system is running Windows, the HTML document creates a ZIP archive containing malicious files and prompts the user to download it.

The fake car sale advertisement (Audi Q7 Quattro) includes contact details and information about the seller, supposedly located in Romania, to lend credibility to the offer. Nonetheless, all these details are fictitious and serve only to attract the victims’ attention.

The downloaded archive “IMG-387470302099.zip” contains three files, one of which is disguised as an image but is an executable file containing a copy of the legitimate Windows calculator—”calc.exe.” This file is used to load a malicious DLL library “WindowsCodecs.dll,” which, in turn, launches the file “zqtxmo.bat,” completing the infection chain.

APT28 actively uses free legitimate services to host attack elements, making them harder to detect. The methods used in this campaign align with previously documented attacks by this group, and the HeadLace malware is exclusively associated with APT28.

To protect against such attacks, it is recommended to restrict access to services popular among hackers or to carefully monitor their usage. Organizations should closely monitor free online resources to promptly identify potential attack vectors.

Related Posts:

• APT28 Attacks International Olympic Committee & published 2018 Winter Olympics emails
• APT28’s Cyber Espionage: Targeting Governmental Systems in Ukraine and Poland
• ANSSI Alerts: APT28’s Stealthy Strikes on France
• US Denounces Russian Cyberattacks Targeting Germany, EU Nations
• Russia APT28 updates its arsenal in ongoing campaigns