A recent report by SEQRITE Labs APT-Team has shed light on a sophisticated campaign, dubbed Operation HollowQuill, targeting Russian research and development networks. This operation leverages weaponized decoy documents, designed to appear as official research invitations, to infiltrate sensitive organizations.
The primary target of Operation HollowQuill is the Baltic State Technical University, a prominent institution involved in defense, aerospace, and advanced engineering programs that contribute significantly to Russia’s military-industrial complex. However, the campaign’s reach extends beyond academia, also targeting governmental and defense-related entities.
The attackers employ a multi-stage infection chain to deliver their malicious payload.
- It starts with a malicious RAR archive file.
- This RAR archive contains a .NET malware dropper, which in turn deploys a legitimate OneDrive executable, a Golang-based shellcode loader, and a decoy PDF document.
- The .NET dropper extracts a PDF.
- The Golang loader injects shellcode into the legitimate OneDrive process.
- A shortcut (.LNK) file is used for startup persistence.
- The final payload is a Cobalt Strike beacon, communicating with a command-and-control server.
The decoy documents used in this campaign are crafted to appear as official communications. For instance, one decoy document is related to the Ministry of Science and Higher Education of Russia and concerns the Baltic State Technical University “VOENMEKH” named after D.F. Ustinov. These documents often discuss state-assigned research projects or defense-related academic collaborations, adding to their credibility. As the report states, “The contents and the entire decoy confirm that this PDF serves as a comprehensive guideline for the allocation of state-assigned research tasks“.
SEQRITE Labs APT-Team conducted a detailed technical analysis of the malware used in Operation HollowQuill. The analysis covers the malicious RAR file, the .NET dropper, the Golang shellcode loader, and the Cobalt Strike payload.
- .NET Dropper: The .NET executable, often named “SystemUpdaters.exe”, is responsible for deploying the legitimate OneDrive application, the Golang loader, and the decoy PDF.
- Golang Shellcode Loader: The Golang executable injects shellcode into the OneDrive process. It employs anti-analysis techniques, such as checking the sleep duration, to evade detection.
- Cobalt Strike Payload: The final stage of the infection chain involves the deployment of a Cobalt Strike beacon, a common tool used by attackers for command and control.
SEQRITE Labs APT-Team’s investigation also uncovered valuable information about the threat actor’s infrastructure. The report notes “little OPSEC related mistakes from the threat actor such as leaving Go-build ID along with the injector,” which aided in hunting for similar payloads. The command-and-control server, hosted at the domain “phpsymfony[.]com,” has been observed rotating across multiple ASN services.
By using convincing decoy documents and employing advanced malware techniques, the attackers aim to infiltrate and compromise valuable research and development data. As the report concludes, “Analyzing the overall campaign and TTPs employed by the threat actor, we can conclude that the threat actor has started targeting few months back since December 2024.”
