Novel malware leveraged in embassy-targeted APT29 attacks

Russian state-sponsored hacking group APT29, also known as Cozy Bear, Nobelium, Yttrium, and the Dukes, has been targeting embassy-related individuals with the new GraphicalNeutrino malware, according to SecurityWeek. The threat, tracked as BlueBravo, leverages a compromised site with text suggesting the ambassador's schedule for November 2022 as a lure, as well as the U.S. business automation service Notion for command-and-control, to facilitate the distribution of GraphicalNeutrino, which features API unhooking, sandbox evasion, and string encryption capabilities, a Recorded Future report showed. Another GraphicalNeutrino sample identified by researchers to be compiled two days after the initial sample was found to have only slight alterations in Notion database ID, string decryption key, and C2 communication wait times. "While we are unable to assess the intended targets of this operation based on the data available, it is likely that ambassadorial or embassy-themed lures are particularly effective during periods of heightened geopolitical tensions, such as is the case with the ongoing war in Ukraine. During such periods, Russian APT groups are highly likely to make extensive use of diplomatically themed lures," said Recorded Future.