##### CYBER THREAT ANALYSIS By Insikt Group® **RUSSIA** May 30, 2024 # GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns **BlueDelta conducted sophisticated** **Operational infrastructure was** **Credential harvesting campaigns** **credential-stealing campaigns** **continuously evolved to deploy** **targeted webmail service** targeting Ukraine’s Ministry of **Headlace malware through three** **users, using scripts hosted on** Defence, Ukrainian weapons import distinct phases, abusing legitimate compromised routers to defeat and export companies and an services such as GitHub, Mocky, two-factor authentication and ----- 1 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Key Findings - BlueDelta has been observed conducting espionage using Headlace malware against targets in Europe by using phishing emails, legitimate internet services, and living off-the-land binaries. - The group regularly updates and improves its operational infrastructure, indicating sophistication and agility. - Since March 2022, BlueDelta has conducted regular credential harvesting campaigns targeting Yahoo and UKR[.]net webmail service users. - BlueDelta’s campaigns targeted Ukraine’s Ministry of Defence, Ukrainian weapons import and export companies, and a think tank in Azerbaijan, with the most recent campaigns observed in February and March 2024. - This targeting matches Russia’s strategic interests, with a strong focus on gathering information to support its war effort in Ukraine, as well as monitoring the geopolitical landscape of neighboring countries and North Atlantic Treaty Organization (NATO) members. - BlueDelta uses credential harvesting pages that can defeat two-factor authentication and CAPTCHA challenges by relaying requests between legitimate services and compromised Ubiquiti routers. - Recorded Future customers should turn on real-time alerting through Recorded Future’s Intelligence Cloud to detect typosquat domains that mimic their brands, assess suspicious email attachments with Recorded Future Malware Intelligence, and monitor their companies’ attack surface by using Recorded Future’s Attack Surface Intelligence. ## Background [On September 4, 2023, CERT-UA](https://cert.gov.ua/article/5702579) reported a phishing campaign that leveraged Headlace malware to target a critical energy infrastructure facility in Ukraine. During this campaign, BlueDelta sent phishing emails from a fake sender address that contained links to archive files. The archive files contained lure images and Windows BAT script, which, if executed, would result in the whoami command being run and the results being exfiltrated back to the threat actor. On September 6, 2023, Zscaler published a [new blog post titled “Steal-It Campaign”. This report provided additional information covering several](https://www.zscaler.com/blogs/security-research/steal-it-campaign) new attack chains used by BlueDelta, which targeted entities in Australia, Belgium, and Poland. In October 2023, Insikt Group shared an internal report on BlueDelta activity involving living-off-the-land binaries and abuse of LIS to target European victims. During this campaign, three separate infection chains were observed, which used geo-fencing techniques to exploit victims located only in Austria, Lithuania, and Spain. The report detailed the threat actor's use of the free mock application programming interface (API) services Mockbin (mockbin[.]org) and Mocky (mocky[.]io) to survey Windows operating systems and capture NT LAN Manager (NTLM) hashes. BlueDelta used seven different infrastructure stages, as shown in Figure 1, to filter out sandboxes and incompatible operating systems and to restrict payloads to systems in targeted countries. Victims who failed these checks downloaded a benign file and were redirected to Microsoft’s web portal, msn[.]com, whereas 2 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - *.rf[.]gd - *infinityfreeapp[.]com - *.000[.]pe - *.lovestoblog[.]com - *.kesug[.]com - *.wuaze[.]com - *.great-site[.]net - *.42web[.]io - *.free[.]nf 3 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 4 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - https://windows-update-service[.]github[.]io/kb5021042/update.html?id=[GUID] - https://microsoft-update-com[.]github[.]io/kb5021042/update.html?id=[GUID] ##### Stage Two Following either of the stage-one links redirects the victim to the stage-two script hosted at Mockbin, as shown in Figure 4. 5 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 6 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- The stage-four ZIP payloads were essentially unchanged from the stage-four payloads detected in phase one. The ZIP files contain a BAT script and a benign CAB file for the Windows Update kb5021042. Upon execution, the BAT script creates a visual basic script (VBScript) and an additional BAT script. The VBScript is then executed and calls the newly created BAT script. The only purpose of VBScript is to execute the newly created BAT script. When executed, the newly created BAT script displays a command prompt showing a fake installation of a Windows Update, as shown in Figure 6. As per phase one (see Figure 1), the new BAT script runs in a loop every five minutes (300 seconds) and downloads a third BAT script (stage six) via Mockbin and Mocky, which masquerades as a CSS file and is run via Microsoft Edge in headless mode. The final downloaded BAT script is then moved to the victim’s C:\ProgramData\ directory before being executed and finally deleted. **Figure 6: Fake Windows update installer (Source: Recorded Future)** 7 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ##### Lure Documents and Malware Insikt Group identified three separate ZIP files used in phase two, as shown in Table 1. The ZIP files contained the first malicious BAT and benign CAB files and no further lure documents. 8 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |File Name|Hash (SHA256)| |---|---| |kb5021042.zip|d712744a128b22a0919ecde2508bbfeffa33a61870a941c424e8b301183 c44fe| |kb5021042.cmd|7ec80bd3469656f3d8d406a64097d2f0b2bbd1fd0e49f260ae7b285244 70c0fe| |update-kb-5021042.zip|54a27464c7ad7f2e32cd123b27c0f9082590cd5ba48526bf00728e8107 048f48| |Install-kb-5021042.cmd|12d98b5c513fe9668661e3fdabb93f595a82a81554f28fbd84658de0aab 2a929| |update-kb-5021042.zip|6c0658ac52ca6eb315ab8b6b702a9e24d02d58f24d6d6feb55716b0c0 5252e51| |install-kb-5021042.cmd|d9be3235d7236ff66c871d4070b98fd0fe46319d0ef04047c1ab4e8c725 4d8a5| 9 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |Domain|First Detected| |---|---| |calc-dwn[.]infinityfreeapp[.]com|2023-10-30| |clouddrive[.]infinityfreeapp[.]com|2023-10-12| |document-c[.]infinityfreeapp[.]com|2023-10-30| |document-d[.]infinityfreeapp[.]com|2023-10-30| |documents-cloud[.]infinityfreeapp[.]com|2023-12-06| |downloadc[.]infinityfreeapp[.]com|2023-11-08| |downloaddoc[.]infinityfreeapp[.]com|2023-11-07| |downloadfile[.]infinityfreeapp[.]com|2023-10-24| |downloadingdoc[.]infinityfreeapp[.]com|2023-11-07| |downloadinge[.]infinityfreeapp[.]com|2023-10-26| |downloadingf[.]infinityfreeapp[.]com|2023-10-19| |downloadingq[.]infinityfreeapp[.]com|2023-10-26| |downloadingw[.]infinityfreeapp[.]com|2023-10-26| |downloadx[.]infinityfreeapp[.]com|2023-11-13| |downloadz[.]infinityfreeapp[.]com|2023-11-08| |fdsagdfg[.]rf[.]gd|2023-10-17| |file-download[.]infinityfreeapp[.]com|2023-12-15| |filedwn[.]infinityfreeapp[.]com|2023-10-25| |filehosting[.]infinityfreeapp[.]com|2023-10-25| |filihosting[.]infinityfreeapp[.]com|2023-10-25| |microsoft-files[.]infinityfreeapp[.]com|2023-10-24| |online-download[.]infinityfreeapp[.]com|2023-11-13| |online-drive[.]infinityfreeapp[.]com|2023-11-13| 10 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |online-files[.]infinityfreeapp[.]com|2023-11-06| |---|---| |opendoc[.]infinityfreeapp[.]com|2023-11-13| |opendocument[.]infinityfreeapp[.]com|2023-11-13| |opendocuments[.]infinityfreeapp[.]com|2023-11-13| **Table 2: BlueDelta phase-three, stage-one, redirection domains (Source: Recorded Future)** Additionally, for phase three, the actors made slight changes to the infrastructure stages, combining previous stages two and three into a single PHP script, as shown in Figure 8. **Figure 8: Phase-three infrastructure stages (Source: Recorded Future)** ##### Stage One Previously, in phase two, stage one, the actors used an HTML redirection script to forward victims to Mockbin, as described in Figure 3. In phase three, the redirection technique was modified to use the web server's root directory, which forwarded victims to a new PHP script called filedwn.php. For example, *.infinityfreeapp[.]com/?id= would redirect to *.infinityfreeapp[.]com/filedwn.php?id=. ##### Stage Two In phase three, the aforementioned file filedwn.php replaced the previously used stages two and three in the infection chain. Due to PHP being a server-side programming language, it is not possible to see the actual code used, but it’s assumed that the malicious script carries out similar sandbox, 11 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- browser, and geo-fencing checks as per the previous stages in phases one and two. If the victim fails the checks, filedwn.php serves the victim a benign ZIP file and redirects them to msn[.]com; if they pass, they receive a malicious ZIP. It is suspected that the threat actors may have added some sort of count function limiting the number of times the malicious payload can be downloaded, as during our research, it was noted that the payload could only be downloaded once, and subsequent requests would receive the benign ZIP file. ##### Stage Three The payload for stage three was changed slightly from the previous two phases. As shown In Figure 9, one lure theme was “news_week_6” and when decompressed, the ZIP file contained a folder with an executable called news_week_6 and hidden files named calc.cmd, WindowsCodecs.dll, ``` news_week_6, and news_week_6.docx. ``` **Figure 9: Contents of the stage-four payload (Source: Recorded Future)** The news_week_6 executable file is a benign copy of calc.exe that loads WindowsCodecs.dll via dynamic-link library (DLL) search order hijacking. Once loaded, the DLLMain function executes ``` calc.cmd via a call to system(), as shown in Figure 10. The news_week_6 executable file had several ``` spaces appended to the file name, which were probably added to hide the fact that it was an executable file. 12 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **Figure 10: WindowsCodec.dll used to execute cmd.cmd (Source: Recorded Future)** The calc.cmd script creates similar BAT and VBS files, as seen in phases one and two. It then launches the decoy document news_week_6.docx, removes the malicious payload from the victim’s machine, and replaces it with a copy of the benign payload news_week_6 file. As shown in Figure 11, the first line of the calc.cmd script is the same as seen in the first two phases. This creates a VBS script and another BAT script that repeatedly checks in with the command-and-control (C2) for new payloads masquerading as CSS files. The calc.cmd script then continues by killing any running instances of WINWORD.exe, removing the malicious artifacts from its payload, copying the benign copy of its payload into the user’s download directory, and then opening the decoy document. **Figure 11: calc.cmd script (Source: Recorded Future)** A minor change to the BAT script used to retrieve a new CSS payload was observed. When running Microsoft Edge in headless mode, rather than using the URL for the C2, an encoded HTML page is instead provided, as shown in Figure 12. 13 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **Figure 12: BAT script used to repeatedly retrieve new CSS payloads from the C2 server (Source: Recorded Future)** As shown in Figure 13, when Microsoft Edge loads the encoded page, a JavaScript script redirects the browser to an infinityfreeapp[.]com URL rather than Mockbin, as used in phases one and two. **Figure 13: Decoded HTML page used to redirect the victim to the C2 server (Source: Recorded Future)** ##### Stage Four The stage-four script, execdwn.php, was also changed to PHP from HTML and is hosted at InfinityFree rather than Mockbin. The content of this script is not viewable, but it is expected to be similar to the previous stage-five script containing JavaScript, as shown earlier in Figure 7. The script conducts browser and operating system checks before forwarding the victim to a final payload hosted at Mocky, which contains commands to be executed on the victim's system. As per the previous Mockbin file, this stage is also used to capture the output of these commands after stage six for the actors to collect. ##### Stage Five Several payload scripts were captured in this phase. The scripts remained the same as those found in phase one and contained a second geo-fencing check that, if passed, allowed the victim to download a malicious CSS payload via HTML smuggling, which contained commands to be run on the victim's machine, as shown in Figure 14. 14 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- The final CSS payload was updated slightly compared to phases one and two. As shown in Figure 15, BlueDelta printed the username and userdomain to a file rather than using the whoami command. **Figure 15: Stage-five geofence and final payload script (Source: Recorded Future)** ##### Stage Six At stage six, BlueDelta sent the results of the commands run on the victim system to the PHP file ``` execdwn.php rather than Mockbin, as in phases one and two. ##### Phishing Emails and Lure Documents ``` Insikt Group uncovered one phishing email linked to BlueDelta’s phase-three campaign, as shown in **Figure 16. The email appeared to be sent from the Chancellery of the Prime Minister in Poland and used** a report on the human rights of Palestine and Arab-occupied territories as a lure. The email contained a hyperlink to opendoc[.]infinityfreeapp[.]com, with the display text war.zip. 15 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- **Figure 16: Phishing email possibly spoofed from the Polish Government (Source: Recorded Future)** Following the link downloads a malicious ZIP file containing a legitimate, publicly available United Nations document entitled “Report of the Special Committee to Investigate Israeli Practices Affecting the Human Rights of the Palestinian People and Other Arabs of the Occupied Territories”, alongside hidden files as shown in Figure 17. These files provide similar functionality to those described earlier in [the report, in phase three, stage three. IBM](https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/) previously reported this lure document in December 2023. **Figure 17: Hidden files contained inside War.zip (Source: Recorded Future)** 16 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- |File Name|Type|SHA256| |---|---|---| |2023-12-bois-position-on-accessing-capit al-pr.zip|Payload|a0a67412968c10224e04bfbe32e6012b34e4a4e cc36fc72332101b90acec8fa4| |2023-12-bois-position-on-accessing-capit al-pr.zip|Benign|d5eb88c1fe88e274a9212ff6647e8220f1bfbc250 e0e891f60ea8a28afc9b19c| |20231113_ROU_ROAD_MOV_REQUEST-NAT OTF20231113NN001-302.zip|Benign|2f498a25049f89a809550a11e379912ac053eba 881470ddd3a4e2b487a31c2d0| |calc.war.zip|Benign|763d47f16a230f7c2d8c135b30535a52d66a1ed 210596333ca1c3890d72e6efc| |IN11897.zip|Payload|f9f8ca7fa979766c168d7162df572f3549c7af2e7 07e5a5ac8e06bd352bb7399| |IN11897.zip|Benign|0a5109479620c4c567928680f8e4be685a74e4 b31efaa98811f3b54992697e2d| |news_week_6.zip|Benign|bbe435a3f0adb1ef4810d22ed74f5eba8907201c ba01230b8c98dbe5963e11a8| |Roadmap.zip|Benign|f70c4f5f417b7360a9edb493ac2bc982bc59a18e ee064825c859ad889b0be167| |SEDE-PV-2023-10-09-1_EN.zip|Benign|07c06492d3252236579097d5b114bbbea217325 5b017fb26df7217ea986d6d10| |SEDE-PV-2023-10-09-1_EN.zip|Benign|8dba6356fdb0e89db9b4dad10fdf3ba37e92ae4 2d55e7bb8f76b3d10cd7a780c| |SEDE-PV-2023-10-09-1_EN.zip|Benign|555eafd28474cf01b5eea4648ec6b417d08d17ab a151c5592c8843672812cffa| |war.zip|Benign|8cc664ff412fc80485d0af61fb0617f818d37776e 5a06b799f74fe0179b31768| |war.zip|Payload|b0604f58c55fdba4c4381e411689b29c031dbce 3fb16c656a6b5fadb578deb76| |Zeyilname.zip|Benign|2f1c2afdf17831e744841029bb5d5a3ea9fda569 958303be03e50fb3a764913f| **Table 3: BlueDelta lure ZIP files used in phase three (Source: Recorded Future)** 17 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 18 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - Webhook[.]site - webhook[.]site - Pipedream - pipedream[.]com - Mocky - mocky[.]io - Forge - getforge[.]com BlueDelta used these free LIS for page- and code-hosting, credential capture, and exfiltration. As shown in Table 4, eighteen pages that were active between March 2022 and March 2024 were [uncovered. Google’s Threat Analysis Group (TAG) and](https://blog.google/threat-analysis-group/update-threat-landscape-ukraine/) [Sekoia previously attributed some of the pages to](https://blog.sekoia.io/apt28-leverages-multiple-phishing-techniques-to-target-ukrainian-civil-society/) BlueDelta, as highlighted in Appendix A. **Date Live** **Page URL** **Exfil URL** **Page Theme** webhook[.]site/f5eace0b-062 2022-02-16 consumerpanel0x254a2[.]frge[.]io b-402f-a006-63b97e4950c3 Ukraine MOD webhook[.]site/d466f7a7-63a 2022-03-05 Hatdfg-rhgreh684[.]frge[.]io 1-4c04-8347-fe2d0a96081f ukr[.]net webhook[.]site/d466f7a7-63a 2022-03-14 id-unconfirmeduser[.]frge[.]io 1-4c04-8347-fe2d0a96081f ukr[.]net webhook[.]site/d466f7a7-63a ukr[.]net 2022-03-17 ua-consumerpanel[.]frge[.]io 1-4c04-8347-fe2d0a96081f webhook[.]site/f5eace0b-062 2022-03-19 Panelunregistertle-348[.]frge[.]io b-402f-a006-63b97e4950c3 Ukraine MOD eoytfd39hbrspa3.m.pipedrea 2023-01-17 settings-panel[.]frge[.]io m[.]net Yahoo 2023-02-26 eo6kgbwpysq0laa[.]m[.]pipedream[.]net 37.191.122[.]186:3578 Yahoo 2023-03-01 ukrprivacysite[.]frge[.]io 68.76.150[.]97:8080 ukr[.]net 2023-03-21 xgfdstu6k[.]frge[.]io 174.53.242[.]108:8080 ukr[.]net 2023-04-03 setnewcred[.]ukr[.]net[.]frge[.]io 174.53.242[.]108:8080 ukr[.]net 2023-05-24 eottxji4yk4vg5x[.]m[.]pipedream[.]net 37.191.122[.]186:3578 Yahoo 19 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) |Date Live|Page URL|Exfil URL|Page Theme| |---|---|---|---| |2022-02-16|consumerpanel0x254a2[.]frge[.]io|webhook[.]site/f5eace0b-062 b-402f-a006-63b97e4950c3|Ukraine MOD| |2022-03-05|Hatdfg-rhgreh684[.]frge[.]io|webhook[.]site/d466f7a7-63a 1-4c04-8347-fe2d0a96081f|ukr[.]net| |2022-03-14|id-unconfirmeduser[.]frge[.]io|webhook[.]site/d466f7a7-63a 1-4c04-8347-fe2d0a96081f|ukr[.]net| |2022-03-17|ua-consumerpanel[.]frge[.]io|webhook[.]site/d466f7a7-63a 1-4c04-8347-fe2d0a96081f|ukr[.]net| |2022-03-19|Panelunregistertle-348[.]frge[.]io|webhook[.]site/f5eace0b-062 b-402f-a006-63b97e4950c3|Ukraine MOD| |2023-01-17|settings-panel[.]frge[.]io|eoytfd39hbrspa3.m.pipedrea m[.]net|Yahoo| |2023-02-26|eo6kgbwpysq0laa[.]m[.]pipedream[.]net|37.191.122[.]186:3578|Yahoo| |2023-03-01|ukrprivacysite[.]frge[.]io|68.76.150[.]97:8080|ukr[.]net| |2023-03-21|xgfdstu6k[.]frge[.]io|174.53.242[.]108:8080|ukr[.]net| |2023-04-03|setnewcred[.]ukr[.]net[.]frge[.]io|174.53.242[.]108:8080|ukr[.]net| |2023-05-24|eottxji4yk4vg5x[.]m[.]pipedream[.]net|37.191.122[.]186:3578|Yahoo| ----- |2023-06-25|eoy6vrzslpn9vu[.]m[.]pipedream[.]net|37.191.122[.]186:3578. AND eos93vb2cwsu3xf.m.pipedrea m[.]net|Yahoo| |---|---|---|---| |2023-07-13|eomhv6vdu4v5qyt[.]m[.]pipedream[.]net|eo1ws2wgj75rdfd.m.pipedrea m[.]net|ste.kiev[.]ua| |2023-07-18|eogo85tybrrn2r[.]m[.]pipedream[.]net|Not captured|Yahoo| |2023-09-27|xzdgsdfhfgtjdfj[.]wuaze[.]com|73.80.9[.]137:35780|Yahoo| |2024-02-21|run[.]mocky[.]io/v3/4e14d583-bbf5-4af3 -9a86-4c0938a7802a|3.80.9[.]137:35770|ukr[.]net| |2024-03-05|turbify-biz-cesdaz[.]rf[.]gd|webhook[.]site/e7f39f18-bcb 3-40e3-9e82-8cf7f807cc80|CESD AZ - Azerbaijan think tank| |2024-03-06|consumerpanelapp[.]42web[.]io|eoytfd39hbrspa3.m.pipedrea m[.]net|SE SFTF PROGRES| 20 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- credentials are submitted to the router from the harvesting page, the script waits for one of five responses: - If it receives the response “Finlay”, it calls the function show_last. This function hides three HTML elements on the page with the IDs "first", "second", and "third" by setting their style attribute to "display:none", effectively making these elements invisible on the webpage. Simultaneously, it makes a fourth element with the ID "last" visible by setting its style attribute to "display:block". The HTML elements with IDs "first", "second", "third", and “last" all contain HTML forms with slightly different content, which are loaded dynamically in different scenarios. - If the credential harvesting script receives the response “Redirect” from the compromised router, it redirects the browser window to mail.ukr[.]net, indicating the credentials have been successfully captured. - If it receives the response “AGAIN”, the credential harvesting script re-posts the credentials to the compromised router. - If the response “BAD” is received, the text on the form with the “first” element ID is changed to "Неправильні дані", which is Ukrainian for "Incorrect data". The form's background color is set to red and the “nowait” function is called, which resets the submit button status so it can be used again. - Finally, if the response contains the term “DATA=”, the script splits and isolates the string after the search term, replaces single quotes with double quotes, and then uses the JSON.parse function to turn the stringified JSON data into a JavaScript object. It then iterates over each element in this data structure. This allows BlueDeltat to dynamically update the displayed web page based on the data received from the compromised router. Insikt Group was unable to recover the malicious script hosted on the compromised router, but it is assumed that it can also relay any CAPTCHA challenges issued by the legitimate website, as described in the Sekoia report mentioned above. This can be assumed due to similar JavaScript functions noted on the harvesting page. 21 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 22 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 23 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 24 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 25 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- compromised Ubiquiti EdgeRouters via fixed high-ephemeral ports. The domains targeting Yahoo users were: - eo6kgbwpysq0laa[.]m[.]pipedream[.]net - eogo85tybrrn2r[.]m[.]pipedream[.]net - eottxji4yk4vg5x[.]m[.]pipedream[.]net - eoy6vrzslpn9vu[.]m[.]pipedream[.]net - xzdgsdfhfgtjdfj[.]wuaze[.]com Some of these pages displayed fake account activity pages that claimed the victim’s accounts had been logged into by unauthorized users located in Belarus, China, and Iran. The page also suggested that the user should reset the password associated with these accounts, as shown in Figure 26. 26 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 27 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- - “OPDATA”: If this string is returned, a user prompt asking for a verification code, either via phone or email, is displayed based on the device returned from the XML HTTP request - “BAD-VCODE”: This string indicates the verification code entered was incorrect; the input fields are editable again to enable the user to retry ##### ● “OPTIONS”: Similar to OPDATA, but provides different authentication options ● “Finaly”: This value indicates the authentication process is complete; the user is then redirected to another page; in this case, mail.yahoo[.]com ##### ● “AGAIN”: The server requests the client to resend the data, which triggers a recursive call to the send function with the same data - “CHANGE, BAD, BAD-PASSWORD, BAD-CODE, YAK-CODE, and PUSH”: These handle various states of the authentication process, such as changing the password; incorrect username, password, or code; and push notification verification; the user interface (UI) is updated for each case to prompt the user to take the next step or correct errors 28 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 29 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Victimology Upon analyzing Headlace geofencing scripts and countries targeted by credential harvesting campaigns from 2022 onwards, Insikt Group identified that thirteen separate countries were targeted by BlueDelta. As expected, Ukraine topped the list, accounting for 40% of the activity. Türkiye might seem like an unexpected target with 10%, but it's important to note that it was singled out only by Headlace geofencing, unlike Ukraine, Poland, and Azerbaijan, which were targeted through both Headlace geofencing and credential harvesting. **Figure 28: Countries targeted with either Headlace or credential harvesting since 2022 (Source: Recorded Future)** 30 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Mitigations ##### ● Establish real-time alerts through Recorded Future's Intelligence Cloud to detect typosquat domains that mimic your brand. This proactive measure helps guard against entities like BlueDelta, which could exploit these domains for credential harvesting and phishing. - Use Recorded Future Identity Intelligence to monitor, detect, and mitigate widespread credential ##### leaks and theft, enhancing account protection. ● Implement multi-factor authentication (MFA) to add an extra layer of security and make it more challenging for attackers to abuse compromised credentials. ##### ● Monitor Insikt Group reporting for the latest threat actor tradecraft, TTPs, targeting, and indicators of compromise (IoCs) to ensure you are informed of the threat. ● Use this intelligence to provide comprehensive training on email security best practices, including identifying phishing emails, suspicious attachments, and links. Regularly reinforce training to maintain a high level of awareness and vigilance. - Assess suspicious email attachments with Recorded Future Malware Intelligence for instant ##### analysis to quickly assess and understand the associated threats. ● Monitor your company's attack surface by using Recorded Future’s Attack Surface Intelligence to automate the detection of potential entry points for attackers and highlight network configuration changes. ##### ● Ensure that both software and browser updates are prioritized using the Recorded Future Vulnerability Intelligence Module and installed regularly. Updates often include patches for vulnerabilities and replace outdated plug-ins and add-ons, making it harder for threat actors to exploit these vulnerabilities to compromise a device. - Implement a domain name system (DNS)-blocking policy to prevent connections to free hosting apex domains, such as those used by InfinityFree and free API services, if your company does not use them. - Participate in Recorded Future Collective Insights to harness the power of the Recorded Future Intelligence Cloud and customer signals to give visibility into threats based on your environment, industry, and in-the-wild incidents. ## Outlook Insikt Group anticipates that BlueDelta will continue the operations detailed in this report, with an intensified emphasis on gaining insights into operational capabilities and potential vulnerabilities in Ukraine's defense sector. BlueDelta’s objective is to acquire intelligence that bolsters Russia's military endeavors in Ukraine and gather insights into geopolitical dynamics in neighboring nations and NATO member states. The adaptability, skill, and ferocity demonstrated in this report will continue at pace as Russia tries to capture intelligence, which gives it an edge on the battlefield and regarding geopolitical interests. 31 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix A — Indicators 32 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 33 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- ## Appendix B — Mitre ATT&CK Techniques |Appendix B — Mitre ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Acquire Infrastructure: Domains|T1583.001| |Resource Development: Acquire Infrastructure: Web Services|T1583.006| |Resource Development: Stage Capabilities: Upload Malware|T1608.001| |Resource Development: Stage Capabilities: Link Target|T1608.005| |Initial Access: Spearphishing Attachment|T1566.001| |Initial Access: Spearphishing Link|T1566.002| |Execution: Command and Scripting Interpreter: PowerShell|T1059.001| |Execution: Command and Scripting Interpreter: Windows Command Shell|T1059.003| |Execution: Command and Scripting Interpreter: Visual Basic|T1059.005| |Execution: Command and Scripting Interpreter: JavaScript|T1059.007| |Defense Evasion: Virtualization/Sandbox Evasion: System Checks|T1497.001| |Defense Evasion: Hide Artifacts: Hidden Window|T1564.003| |Credential Access: Web Portal Capture|T1056.003| |Credential Access: Multi-Factor Authentication Interception|T1111| |Discovery: System Owner/User Discovery|T1033| |Command and Control: Web Service: Dead Drop Resolver|T1102.001| |Command and Control: Web Service: One-Way Communication|T1102.003| |Command and Control: Standard Encoding|T1132.001| 34 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- 35 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) ----- Recorded Future reporting contains expressions of likelihood or probability consistent [with US Intelligence Community Directive (ICD) 203: Analytic Standards (published](https://irp.fas.org/dni/icd/icd-203.pdf) January 2, 2015). Recorded Future reporting also uses confidence level standards [employed by the US Intelligence Community to assess the quality and quantity of the](https://www.dni.gov/files/ODNI/documents/assessments/ICA-declass-16MAR21.pdf) source information supporting our analytic judgments. About Insikt Group[®] Recorded Future’s Insikt Group, the company’s threat research division, comprises analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence that reduces risk for clients, enables tangible outcomes, and prevents business disruption. About Recorded Future[®] Recorded Future is the world’s largest threat intelligence company. Recorded Future’s Intelligence Cloud provides end-to-end intelligence across adversaries, infrastructure, and targets. Indexing the internet across the open web, dark web, and technical sources, Recorded Future provides real-time visibility into an expanding attack surface and threat landscape, empowering clients to act with speed and confidence to reduce risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,800 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com risk and securely drive business forward. Headquartered in Boston with offices and employees around the world, Recorded Future works with over 1,800 businesses and government organizations across more than 75 countries to provide real-time, unbiased, and actionable intelligence. Learn more at recordedfuture.com 36 CTA-RU-2024-0530 Recorded Future[®] [| www.recordedfuture.com](http://www.recordedfuture.com) -----