##### CYBER THREAT ANALYSIS By Insikt Group® **RUSSIA** July 27, 2023 # BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware ----- This report is a summary of threat activity linked to the Russian advanced persistent threat (APT) group BlueBravo (APT29, Midnight Blizzard) that Recorded Future’s Insikt Group has uncovered since January 2023. The activity and indicators in this report were detailed in several intelligence reports for Recorded Future clients between February and June 2023. ## Executive Summary Recorded Future’s Insikt Group has continued to observe Russian state actors increasing efforts to conceal command-and-control network traffic via legitimate internet services (LIS) and to diversify the number of services being misused in support of this effort. BlueBravo is a threat group tracked by Insikt Group whose activity overlaps with that of the Russian advanced persistent threat (APT) groups tracked as [APT29 and Midnight Blizzard. APT29 and Midnight Blizzard operations have been](https://www.mandiant.com/resources/blog/unc2452-merged-into-apt29) [previously](https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/) [attributed to Russia’s Foreign Intelligence Service (SVR), an organization responsible for foreign](https://blogs.microsoft.com/on-the-issues/2021/10/24/new-activity-from-russian-actor-nobelium/) espionage, active measures, and electronic surveillance. In January 2023, we released a public [report](https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware) describing how BlueBravo employed a theme suggestive of an ambassador’s schedule in order to deliver malware we dubbed GraphicalNeutrino. In this activity we found that the group employed several consistent tactics, techniques, and procedures (TTPs): the use of compromised infrastructure, the employment of related known malware families, the periodic use of third-party services for command-and-control (C2), and the reuse of general themes for lures. In addition to the identified TTPs, we also analyzed a novel malware variant used by BlueBravo, tracked by Insikt Group as GraphicalProton. GraphicalProton acts as a loader and, much like previously described samples of GraphicalNeutrino, is staged within an ISO or ZIP file and relies on the newly identified compromised domains for delivery to targeted hosts. Unlike GraphicalNeutrino, which employed note-taking web application Notion for C2, the newly identified GraphicalProton sample uses Microsoft's OneDrive for C2 communication. The misuse of LIS by BlueBravo is a continuation of its previous tactics, techniques, and procedures (TTPs), as it has employed multiple online services such as Trello, Firebase, and Dropbox in an attempt to evade detection. As a result, it is imperative for network defenders to be aware of the possibility of the misuse of these services within their enterprise and to recognize instances in which they may be used in similar efforts to exfiltrate information. Although we do not have direct visibility into the targeted entities, we can infer from the lure themes and linguistic artifacts that the Russian government is likely prioritizing cyber-espionage efforts against government sector entities in Europe, at present. The need for information from these sectors and regions is likely driven by the Russian government’s need for strategic data to facilitate its long-term survival during and after the war in Ukraine. Based on observed trends associated with malware and infrastructure development throughout the first half of 2023, we assess that it is likely BlueBravo will adapt and iterate upon existing malware families to develop new variants and will continue to leverage third-party services as necessary to obfuscate C2 Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- communications. The use of legitimate website compromise as one approach to malware delivery via HTML smuggling, as well as the use of PHP code for delivery, are recently observed approaches to the infection chain. Due to how adaptive and evolving BlueBravo has been since 2022, tracking the group must also be an adaptive and evolving process and requires that the organizations most likely to be its victims invest additional time and resources. This includes those within the government sector and other organizations that Russian state actors are likely to deem of interest in furthering their geopolitical interests surrounding the Russia-Ukraine conflict. Defenders should detect, block, and hunt for the indicators and behaviors referenced in connection with BlueBravo reporting via the Recorded Future® Intelligence Cloud in network monitoring, intrusion detection systems, firewalls, and any associated perimeter security appliances. ## Key Findings - Insikt Group has identified recent samples of the BlueBravo custom malware GraphicalNeutrino as well as a new strain of malware with similar characteristics that we call GraphicalProton. - This activity likely represents efforts by BlueBravo operators to diversify their tooling, C2 infrastructure, and portfolio of legitimate services they abuse in order to successfully target organizations of interest to Russian state actors. - BlueBravo is likely to continue developing infrastructure and compromising vulnerable websites to facilitate the deployment of subsequent strains of malware including GraphicalNeutrino (aka SnowyAmber), GraphicalProton, and QuarterRig. - The lure pages we observed in this activity continue to reveal BlueBravo’s interest in targeting personnel assigned to diplomatic or foreign policy institutions throughout Eastern Europe. - As the war in Ukraine continues, it is almost certain that BlueBravo will continue to consider government and diplomatic institutions high-value targets for the foreseeable future. It is likely that BlueBravo, and by extension the Russian intelligence consumers reliant on the data BlueBravo provides, views these organizations as providing strategic insight into the decision-making process of governments allied with Ukraine. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Overview The BlueBravo threat activity that Insikt Group has identified in H1 2023 consists of the use of compromised and actor-controlled domains to deploy at least 3 custom tools — QuarterRig, GraphicalNeutrino, and GraphicalProton. QuarterRig was first described and named by Poland’s Computer Emergency Response Team (CERT-PL); GraphicalNeutrino (tracked by CERT-PL as SnowyAmber) and GraphicalProton were first described and named publicly by Recorded Future. - **GraphicalNeutrino: Insikt Group initially described GraphicalNeutrino malware in public** [reporting](https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware) on January 27, 2023. This malware acts as a loader with basic C2 functionality and implements numerous anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion. It exploits the API for the United States (US)-based, business automation service Notion for C2 communications. Additionally, it uses Notion’s database feature to store victim information and stage payloads for download. - **[QuarterRig: On April 14, 2023, CERT-PL released a comprehensive analysis](https://www.gov.pl/attachment/6f51bb1a-3ad2-461c-a16d-408915a56f77)** of QuarterRig, a newly discovered malware family used by BlueBravo that was first identified in March 2023. QuarterRig is deployed via spearphishing emails containing attachments with malicious links. When victims click on these links, they are redirected to compromised websites that use scripts or HTML smuggling techniques to load QuarterRig onto the victim's computer. The QuarterRig malware functions as a loader used to deliver a more advanced second-stage payload; CERT-PL's analysis indicates that all the examined samples of QuarterRig delivered Cobalt Strike Beacon payloads as their second-stage payload. - **GraphicalProton: In May 2023, Insikt Group first described the GraphicalProton malware for** clients. GraphicalProton acts as a loader, and, much like previously described samples of GraphicalNeutrino, is staged within an ISO or ZIP file and relies on the newly identified compromised domains for delivery to targeted hosts. Unlike some previously analyzed samples of GraphicalNeutrino that employed Notion for C2, we observed that the newly identified GraphicalProton samples use Microsoft OneDrive instead. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 1: Overview of BlueBravo attack flow (Source: Recorded Future)** This report details Recorded Future’s tracking of BlueBravo’s use of compromised infrastructure to deliver these 3 custom malware families. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Threat Analysis #### Infrastructure Analysis **QuarterRig Activity: March to May 2023** Through analyzing known BlueBravo C2 infrastructure and related file artifacts, we identified multiple additional compromised domains that we assess are almost certainly being used by the threat group to deliver QuarterRig. One of the domains we observed, sylvio[.]com[.]br, was also publicly [identified](https://www.gov.pl/web/baza-wiedzy/espionage-campaign-linked-to-russian-intelligence-services) by CERT-PL in their analysis of the QuarterRig malware family. |Domain|Related Sample|Filename| |---|---|---| |te-as[.]no|22b037f0a42579b45530bed196dd2b47fd4d4dffb8daa273858128793 2794954|Note[.]iso| |remcolours[.]com|c71ec48a59631bfa3f33383c1f25719e95e5a80936d913ab3bfe2feb172 c1c5e|Note[.]zip| |sylvio[.]com[.]br|b84d6a12bb1756b69791e725b0e3d7a962888b31a8188de225805717c 299c086|Note[.]iso| **Table 1: Compromised BlueBravo infrastructure for delivery of QuarterRig (Source: Recorded Future)** On April 12, 2023, Insikt Group identified the domain te-as[.]no, which was hosted on the IP address 51.75.154[.]169 at the time of analysis, delivering a malicious ISO file (further described in the Malware **Analysis section of this report) named “Note.iso” (SHA256** 22b037f0a42579b45530bed196dd2b47fd4d4dffb8daa2738581287932794954) via the web page hxxps://te-as[.]no/wine[.]php. This use of a PHP file to deliver the malware was a departure from previous BlueBravo use of HTML files on compromised infrastructure. Insikt Group also identified a lure document which was nearly identical to a lure described in CERT-PL's original reporting, which included a link to another QuarterRig sample found at hxxps://sylvio.com[.]br/form.php. Both lure documents present themselves as invitations to a wine-tasting event on behalf of the Embassy of the Czech Republic. The only differences between the 2 documents are the event dates, the signing date, and the URIs used for downloading additional information. A side-by-side comparison of each lure document is provided in Figure 2 below. The use of PHP web pages for malware delivery is in line with previous BlueBravo activity identified by Insikt Group in February 2023. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- |Date Range|Domain|IP Address| |---|---|---| |3/21/2023 to 5/21/2023|mightystake[.]com|176.10.111[.]77| |3/14/2023 to 5/22/2023|sharpledge[.]com|51.75.210[.]218| |4/17/2023 to 5/18/2023|fondoftravel[.]com|185.174.101[.]243| **Table 2: BlueBravo-controlled QuarterRig C2s for network communication (Source: Recorded Future)** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **QuarterRig Activity: May to June 2023** On May 22, 2023, Insikt Group [identified](https://urlscan.io/result/34ec7bb6-c414-4397-98d6-70cdb5ae4b25/) another compromised domain, easym6[.]com, which hosted a PHP file that delivered a QuarterRig sample that beacons to actor-controlled infrastructure. Users redirected to the URL hxxps://easym6[.]com/Information.php would download a ZIP file titled Information.zip file (SHA256 b422ba73f389ae5ef9411cf4484c840c7c82f2731c6324db0b24b6f87ce8477d). In addition to QuarterRig, Information.zip includes 3 other files essential to the execution and function of the malware. [URLScan shows](https://urlscan.io/result/34ec7bb6-c414-4397-98d6-70cdb5ae4b25/) that this domain, and specifically the identified URL, was delivering the Information.zip file via Information.php. The most recent QuarterRig sample identified by Insikt Group in connection with this research was in June 2023. The sample was discovered in an ISO file titled “Specification.iso” (SHA256: 55d01a923ab4fb73990699b0e53dd0e57cab0549049030a43029cdaec4dfea98). Insikt Group analyzed the sample and identified the C2 domain as reidao[.]com, which was hosted on the IP address 51.77.38[.]127 at the time of analysis. **GraphicalProton Activity: March to May 2023** ##### resetlocations[.]com [On May 4, 2023, Insikt Group identified the domain resetlocations[.]com, hosted on the IP address](https://urlscan.io/result/effd52c2-799e-46ff-89aa-32ede1d83e96) 192.254.235[.]191, delivering the malicious ISO file “bmw.iso” (SHA256: 79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f) via the webpage resetlocations[.]com/bmw.htm. As in previous GraphicalNeutrino reporting, it is believed that BlueBravo compromised the website in order to host a sample of GraphicalProton. Contained within the HTML of the webpage is this obfuscated ISO file that is deployed via HTML smuggling; the ISO file is set to auto-download when the website is visited. On May 8, 2023, we observed 2 .docx files uploaded to a malware repository that serve as lure documents for the URL referenced as resetlocations[.]com/bmw[.]htm. We observed that the HTML content on resetlocations[.]com (Figure **3) checks the victim’s user agent string to determine whether the bmw.iso payload should be** downloaded, which differs from previous iterations of threat group activity from [earlier](https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware) in 2023 (Figure **4) that would download the payload regardless.** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- The prior targeting related to the misuse of the BMW brand is likely suggestive of wider targeting of individuals who may have an interest in the type of vehicle or industry. The likely purpose for the use of Turkish-language material in this later content is linked to an identified Turkish-language decoy document themed around relief efforts for the 2023 earthquake in Kahramanmaraş, Turkey, as shown in **Figure 6. This document referenced a specific contact within Turkey’s Ministry of Foreign Affairs. Turkey** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- has been a long-term target of interest for Russian APT groups, given its role as a NATO member and due to recent geopolitical events such as increased tension between the two countries as a result of a [failed arms deal.](https://www.armscontrol.org/act/2017-10/news-briefs/turkey-snubs-nato-russian-arms-deal#:~:text=NATO%20member%20Turkey%20turned%20to,unease%20among%20its%20alliance%20partners) **Figure 6: BlueBravo decoy document regarding relief efforts related to the 2023 earthquake in Kahramanmaraş, Turkey** (Source: Recorded Future) #### Malware Analysis **QuarterRig: March to June 2023** QuarterRig initially delivers an ISO file containing a benign copy of a Microsoft Word executable that also contains an XML schema definition (XSD) and dynamic-link library (DLL). The DLL employs multiple anti-analysis techniques including encrypted strings, dynamic API resolution, and stack strings. After decrypting API strings, it spawns a new thread that uses an RC4 stream cipher with a hardcoded key to Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- When a victim tries to open any of the LNK files, it triggers the execution of the command cmd /c ``` start .$Recycle.Bin\windoc.exe && ".$Recycle.Bin\bmw[X].png". This command is used ``` to launch windoc.exe and open a PNG file corresponding to the number of the LNK file opened. Windoc.exe serves as the initial execution point for the malware, while the PNG file acts as a decoy to divert attention away from the malware as it begins its execution within the Windoc.exe process. Windoc.exe is a benign copy of the Microsoft Word application that is used to load AppIsvSubsystems64.dll via DLL search order hijacking. AppIsvSubsystems64.dll serves as a loader to execute GraphicalProton on the victim's machine, and employs several anti-analysis and anti-debugging techniques including: - Verifying if the victim's system has more than 1 processor - Checking if the system’s RAM is greater than 1,024 MB - Timing-checks via sleep calls - Checking for debuggers by calling ntQueryObject on the current process and looking for a [“DebugObject” (similar to the technique shown here)](https://gist.github.com/soxfmr/16c495d6e4ad99e9e46f5bfd558d152f) - Dynamically resolving syscalls and Windows API functions - Obfuscating control flow by manipulating the RIP register value via direct syscalls to zwGetContextThread and zwSetContextThread - Using custom exception handlers and generating exceptions to redirect control flow After passing anti-analysis checks, the loader reads encrypted shellcode from the file ojg2.px and decrypts its contents using an xor cipher with a rotating key. It then scans running processes to locate a suitable 64-bit process for injecting shellcode into. Once a suitable process is identified, the loader performs process injection in a similar manner as the [NtCreateSection + NtMapViewOfSection](https://www.ired.team/offensive-security/code-injection-process-injection/ntcreatesection-+-ntmapviewofsection-code-injection) described by ired.team. One deviation from the ired.team article is that the shellcode is executed via a [new thread with the THREAD_CREATE_FLAGS_HIDE_FROM_DEBUGGER](https://ntquery.wordpress.com/2014/03/29/anti-debug-ntcreatethreadex/) flag set, which is used as an additional anti-analysis technique to prevent the thread from being visible to debuggers attached to its process. In the remote process, the shellcode resolves APIs and then unhooks several modules including kernel32, ntdll, shell32, oleaut32, mscoree, and combase. Afterwards, it utilizes the [RtlDecompressBuffer](https://learn.microsoft.com/en-us/windows-hardware/drivers/ddi/ntifs/nf-ntifs-rtldecompressbuffer) Windows API function to decompress an embedded PE file that is compressed using [LZNT1. This decompressed PE file is the GraphicalProton payload that is then loaded into the](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-xca/5655f4a3-6ba4-489b-959f-e1f407c52f15) same process, and a new thread is started to execute its start routine. GraphicalProton unhooks all DLL modules loaded by the process. It then attempts to renew an access token for Microsoft OneDrive by sending an HTTP request to login.microsoftonline[.]com with the [Microsoft Graph permissions files.readwrite.all and offline_access.](https://learn.microsoft.com/en-us/graph/permissions-reference) Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 8: Refresh token request made by GraphicalProton (Source: Recorded Future)** After obtaining a new token, a wordlist is used to create a randomly named directory under the OneDrive account’s App\Teams_Test folder. Next, 2 randomly named subdirectories are created to contain C2 communications to and from the victim. GraphicalProton then gathers the victim’s system information — including their username, computer name, Windows version, network connections, and a list of running processes — by running the following commands: - `cmd.exe /C "chcp 65001 > NUL & whoami"` - `cmd.exe /C "chcp 65001 > NUL & wmic datafile where` ``` Name="C:\Windows\System32\ntoskrnl.exe" get Version” ``` - `cmd.exe /C "chcp 65001 > NUL & netstat -a"` - `cmd.exe /C "chcp 65001 > NUL & tasklist"` [The output of these commands are encrypted using a Chaskey](https://mouha.be/chaskey/) cipher in CTR mode. Each byte of the ciphertext is encoded as binary represented by hex bytes corresponding to individual bits (0x00 and 0x01) and stored within a BMP file that is subsequently uploaded to 1 of the victim’s previously created OneDrive subdirectories. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- **Figure 9: Chaskey encryption algorithm (Source: Recorded Future)** Next, the malware periodically polls the OneDrive account for new files in the App\Teams_Test folder. When one is found, it is downloaded, decoded, and decrypted. The malware expects the file to be in a BMP file format using the same binary encoding and Chaskey cipher encryption as the initial C2 check-in. The payload of the BMP file is capable of requesting the malware to read or write files, inject shellcode into remote processes, or run commands via cmd.exe. Results and log messages from the C2 request are stored in a new encrypted and encoded BMP file that is uploaded back to the OneDrive account (to the same victim subdirectory into which the initial BMP was uploaded). The malware then continues communicating with its C2 by periodically polling the description data stored on the victim’s OneDrive folder. This field is updated throughout the malware’s execution using short codes to indicate what the malware is doing, and can also be updated by the malware operators Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- to request certain functionality. For example, if the value ''mw'' is added to the description, then GraphicalProton will look for a new BMP communication in the victim’s second subdirectory. If one is present, then GraphicalProton will download, decode, and decrypt it in the same manner as previously described and execute the BMP payload’s requested instructions. Aside from its support for OneDrive, GraphicalProton also contains code, an API key and secret, and a refresh token to integrate with DropBox as an alternative C2 backend. Many techniques from GraphicalProton coincide with a prior analysis [report](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/APT29_C2-Client_Dropbox_Loader/APT29-DropboxLoader_analysis.md) conducted by GitHub user Dump-GUY on an APT29 DropBox loader. Both samples share similarities in their utilization of dynamically resolved syscalls, employing online storage providers like DropBox for C2 communications, and camouflaging C2 communications as benign files (MP3 in the earlier analysis and BMP in the more recent samples). This overlap suggests that GraphicalProton represents a continuation of the previously analyzed malware family, showcasing ongoing development efforts by BlueBravo operators. Insikt Group has created YARA rules to assist defenders in monitoring for GraphicalProton samples (see **Appendix C).** Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Mitigations Defenders should conduct the following measures to detect and mitigate activity associated with BlueBravo: - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external domains listed in Appendix A. - Recorded Future proactively detects malicious server configurations and provides means to block them in the Command and Control Security Control Feed. The Command and Control feed includes tools used by BlueBravo and other Russian state-sponsored threat activity groups. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions. - [Recorded Future Threat Intelligence (TI), Third-Party Intelligence, and SecOps Intelligence](https://www.recordedfuture.com/platform/threat-intelligence) [modules users can monitor real-time output from network intelligence analytics to identify](https://www.recordedfuture.com/license-options/) suspected targeted intrusion activity involving your organization or key vendors and partners. - Use the YARA rule provided in Appendix C to search your network for potential QuarterRig, GraphicalNeutrino, and/or GraphicalProton infections. - [Implement an application allow-list policy](https://www.bleepingcomputer.com/tutorials/create-an-application-whitelist-policy-in-windows/) on Windows hosts, and enable AppArmor/SELinux on Linux-based hosts. ## Outlook Based on BlueBravo’s ongoing adaptation of existing malware families, as well as a willingness to evolve the malware delivery mechanism over time, we assess BlueBravo to be a highly capable actor. The group has routinely updated its TTPs to blend into legitimate network traffic and effectively evade detection. Defenders should detect, block, and hunt for the indicators and behaviors referenced in connection with BlueBravo reporting via the Recorded Future® Intelligence Cloud in network monitoring, intrusion detection systems, firewalls, and any associated perimeter security appliances. We assess that as the war in Ukraine continues, it is almost certain BlueBravo will continue to consider government and diplomatic institutions high-value targets, with a likely focus on entities in Europe or those who are aligned with Ukraine. As such, we believe it is likely these entities will continue to be central in BlueBravo’s targeting calculus for the foreseeable future. BlueBravo’s targeting of these entities highlights their importance to decision-makers in military and strategic leadership positions in the Russian government. Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix A — Indicators of Compromise ``` Compromised Domains Associated with BlueBravo Activity: te-as[.]no easym6[.]com remcolours[.]com simplesalsamix[.]com sylvio[.]com[.]br reidao[.]com mightystake[.]com sharpledge[.]com fondoftravel[.]com URLs Associated with BlueBravo Activity: te-as[.]no/wine[.]php easym6[.]com/Information.php reidao[.]com/dashboard.php resetlocations[.]com/bmw.htm simplesalsamix[.]com/e-yazi.html sylvio.com[.]br/form.php mightystake[.]com/sponsorship.php sharpledge[.]com/login.php fondoftravel[.]com/contact.php Files: 9da5339a5a7519b8b639418ea34c9a95f11892732036278b14dbbf4810fec7a3 AppvIsvSubsystems64.dll 6c55195f025fb895f9d0ec3edbf58bc0aa46c43eeb246cfb88eef1ae051171b3 Note.exe 22b037f0a42579b45530bed196dd2b47fd4d4dffb8daa2738581287932794954 Note.iso ed5c3800cf9eb3d76e5bab079c7f8f3e0748935f0696ce0898f8bd421c3c306f Bdcmetadataresource.xsd b84d6a12bb1756b69791e725b0e3d7a962888b31a8188de225805717c299c086 Note.iso aff3d7f9ebfdbe69c65b8441a911b539b344f2708e5cef498f10e13290e90c91 AppvIsvSubsystems64.dll 9f2b400439e610577a6bbc1f83849c6108689d99a9fe7bdd1c74e4dfffadde14 Bdcmetadataresource.xsd c71ec48a59631bfa3f33383c1f25719e95e5a80936d913ab3bfe2feb172c1c5e Note.zip 385973e7777081c81cfe236fcc8b3ebf5e4ae04f16030d525535f6cfe38cae7b AppvIsvSubsystems64.dll becbd20a19bab555b92d471b30b8159dfa709e9bc417e5d42d72c94546d9e61c Schema.inf 79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f bmw.iso 640a08b52623cd8702de066f1f9a6923b18283fc2656137cd9c584da1e07775c bmw1.png.lnk 6f37579d445639c7dfebb4927fe7f6ea70d25d1127f9d9b5078f8ccd4da36127 bmw2.png.lnk 0e22e6a1dc529008d62287cfddaed53c7f4cc698feec144f00c92594dc76d036 bmw3.png.lnk 02ce47bd766f7489c6326c30351eb9b365f9997de1b2f92924d130fa07e0d82c bmw4.png.lnk c5209127e65b0465c8a707ca127b067aa8756c1138bd0d3636f71bfbe8fd9bda bmw5.png.lnk e22bc75bb87e19554cd0f98c98b22a07368c2b23adacc41fe2cd68c20957d60a bmw6.png.lnk 2589700d01c8a60a4f2d8188e31712821c7085a4715785e2871ac517c81477e3 bmw7.png.lnk ``` Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix B — Mitre ATT&CK Techniques |Appendix B — Mitre ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Resource Development: Compromise Infrastructure|T1584| |Execution: User Execution: Malicious File|T1204.002| |Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|T1547.001| |Defense Evasion: Obfuscated Files or Information: HTML Smuggling|T1027.006| |Defense Evasion: Obfuscated Files or Information: Dynamic API Resolution|T1027.007| |Defense Evasion: Masquerading: Right-to-Left Override|T1036.002| |Defense Evasion: Masquerading: Match Legitimate Name or Location|T1036.005| |Defense Evasion: Deobfuscate/Decode Files or Information|T1140| |Defense Evasion: Hijack Execution Flow: DLL Search Order Hijacking|T1574.001| |Defense Evasion: Hijack Execution Flow: DLL Side-Loading|T1574.002| |Defense Evasion: Impair Defenses: Disable or Modify Tools|T1562.001| |Discovery: System Owner/User Discovery|T1033| |Discovery: System Information Discovery|T1082| |Command and Control: Application Layer Protocol: Web Protocols|T1071.001| |Command and Control: Web Service: Bidirectional Communication|T1102.002| |Command and Control: Ingress Tool Transfer|T1105| Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- ## Appendix C — GraphicalProton YARA Rules Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group ----- About Insikt Group[®] Insikt Group is Recorded Future’s threat research division, comprising analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence on a range of cyber and geopolitical threats that reduces risk for clients, enables tangible outcomes, and prevents business disruption. Coverage areas include research on state-sponsored threat groups; financially-motivated threat actors on the darknet and criminal underground; newly emerging malware and attacker infrastructure; strategic geopolitics; and influence operations. About Recorded Future[®] Recorded Future is the world’s largest intelligence company. Recorded Future’s cloud-based Intelligence Platform provides the most complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape and empowers clients to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,500 businesses and government organizations across more than 60 countries. Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture real-time visibility into the vast digital landscape and empowers clients to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,500 businesses and government organizations across more than 60 countries. Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture Recorded Future[®] | www.recordedfuture.com | Distribution: Public, from Insikt Group -----