{"id":2344,"date":"2023-07-12T16:35:00","date_gmt":"2023-07-12T14:35:00","guid":{"rendered":"https:\/\/lab52.io\/blog\/?p=2344"},"modified":"2024-10-16T13:37:12","modified_gmt":"2024-10-16T11:37:12","slug":"2344-2","status":"publish","type":"post","link":"https:\/\/lab52.io\/blog\/2344-2\/","title":{"rendered":"New invitation from APT29 to use CCleaner"},"content":{"rendered":"\n<p>Last month of May we were talking about the new <a rel=\"noreferrer noopener\" href=\"https:\/\/lab52.io\/blog\/2162-2\/\" target=\"_blank\">APT29 campaign that we called &#8220;Information&#8221;<\/a>. Recently, just a week ago, <a href=\"https:\/\/lab52.io\/blog\/beyond-appearances-unknown-actor-using-apt29s-ttp-against-chinese-users\/\">an unknown actor used similar techniques to APT29<\/a>. This time APT29 is once again the focus after new techniques were identified in their operations.<\/p>\n\n\n\n<p>This post details the new techniques observed, in particular:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>SVG Dropper<\/li><li>DLL used for infection<\/li><li>C2 behaviour<\/li><\/ul>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"475\" height=\"699\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/iconos-adaptables.drawio.png\" alt=\"\" class=\"wp-image-2390\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/iconos-adaptables.drawio.png 475w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/iconos-adaptables.drawio-204x300.png 204w\" sizes=\"(max-width: 475px) 100vw, 475px\" \/><figcaption>Infection chain<\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\">Stage0: SVG Dropper<\/h1>\n\n\n\n<p>The input vector for this campaign has been the email. The phishing email used by the authors has the subject &#8220;<strong>Invitation &#8211; Santa Lucia Celebration<\/strong>&#8220;. This seems to impersonate the Norwegian embassy inviting to a celebration. This particular &#8220;invitation&#8221; is in .svg format.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"912\" height=\"587\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen.png\" alt=\"\" class=\"wp-image-2349\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen.png 912w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-300x193.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-768x494.png 768w\" sizes=\"(max-width: 912px) 100vw, 912px\" \/><figcaption>Phishing Mail (<a href=\"https:\/\/twitter.com\/StopMalvertisin\/status\/1677192614985228288\" data-type=\"URL\" data-id=\"https:\/\/twitter.com\/StopMalvertisin\/status\/1677192614985228288\">@StopMalvertisin<\/a>)<\/figcaption><\/figure><\/div>\n\n\n\n<p>When the file is opened, a script is executed that mounts and downloads a file with .iso extension containing the next stage of infection. In this way, the .svg file functions as an HTML Smuggling that infects the victim dropping the next stage.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"484\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-1-1024x484.png\" alt=\"\" class=\"wp-image-2350\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-1-1024x484.png 1024w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-1-300x142.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-1-768x363.png 768w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-1.png 1310w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption>.svg content<\/figcaption><\/figure><\/div>\n\n\n\n<p>This technique had already been seen before as the user <a href=\"https:\/\/twitter.com\/SI_FalconTeam\/status\/1677355686722781184\" data-type=\"URL\" data-id=\"https:\/\/twitter.com\/SI_FalconTeam\/status\/1677355686722781184\">@SI_FalconTeam<\/a> indicates, in a test sample dropping &#8220;Process Explorer&#8221;, they also include a Yara rule to detect this type of technique.<\/p>\n\n\n\n<p>The use of this type of file as a dropper is a novelty in APT29 TTPs, so it is interesting to keep an eye on this type of attachments to hunt for future campaigns.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"582\" height=\"529\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-2.png\" alt=\"\" class=\"wp-image-2351\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-2.png 582w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-2-300x273.png 300w\" sizes=\"(max-width: 582px) 100vw, 582px\" \/><figcaption>SVG &#8220;test&#8221; Sample<\/figcaption><\/figure><\/div>\n\n\n\n<p>Once the file is opened, an ISO (<strong>invitation.iso<\/strong>) will be downloaded with a similar content to the one we have observed in other APT29 campaigns.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-3.png\" alt=\"\" class=\"wp-image-2352\" width=\"682\" height=\"250\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-3.png 665w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-3-300x110.png 300w\" sizes=\"(max-width: 682px) 100vw, 682px\" \/><figcaption>&#8220;Invitation.iso&#8221; content<\/figcaption><\/figure><\/div>\n\n\n\n<p>The file used during this analysis is the following:<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">File <\/th><th class=\"has-text-align-center\" data-align=\"center\">Sha256<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">Invitation.iso<\/td><td class=\"has-text-align-center\" data-align=\"center\">AF1922C665E9BE6B29A5E3D0D3AC5916AE1FC74AC2FE9931E5273F3C4043F395<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>This particular <strong>Invitation.iso<\/strong> file contains the following files.<\/p>\n\n\n\n<figure class=\"wp-block-table aligncenter is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">File <\/th><th class=\"has-text-align-center\" data-align=\"center\">Sha256<\/th><th>Stage<\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">Invitation.lnk<\/td><td class=\"has-text-align-center\" data-align=\"center\">A8AE10B43CBF4E3344E0184B33A699B19A29866BC1E41201ACE1A995E8CA3149<\/td><td>Stage1<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CCleanerReactivator.exe<\/td><td class=\"has-text-align-center\" data-align=\"center\">59E5B2A7A3903E4FB9A23174B655ADB75EB490625DDB126EF29446E47DE4099F<\/td><td>Stage1<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CCleanerReactivator.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">7FC9E830756E23AA4B050F4CEAEB2A83CD71CFC0145392A0BC03037AF373066B<\/td><td>Stage1<\/td><\/tr><tr><td class=\"has-text-align-center\" data-align=\"center\">CCleanerDU.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">D7BDA5E39327FE12B0C1F42C8E27787F177A352F8EEBAFBE35D3E790724ECEFF<\/td><td>Stage2<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">Stage1: Loader<\/h1>\n\n\n\n<p>The first file that catches attention is <strong>invitation.lnk<\/strong>, which, despite having the icon of a folder, is a shortcut that launches the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>%windir%\/system32\/cmd.exe \/q \/c \"robocopy . C:\\Windows\\Tasks \/NODCOPY \/NFL \/NDL \/NJH \/NJS \/NC \/NS \/NP > nul &amp; start C:\\Windows\\Tasks\\CCleanerReactivator.exe > nul\"<\/code><\/pre>\n\n\n\n<p>This command makes use of <strong>Robocopy<\/strong> to copy all files to the &#8220;C:\\Windows\\Tasks&#8221; folder and then run <strong>CCleanerReactivator.exe<\/strong>.<\/p>\n\n\n\n<p>The <strong>CCleanerReactivator.exe<\/strong> binary is signed and undetected in VirusTotal. It is a software to free up computer space that can be <a href=\"https:\/\/www.ccleaner.com\" data-type=\"URL\" data-id=\"https:\/\/www.ccleaner.com\">downloaded<\/a> legitimately.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-4.png\" alt=\"\" class=\"wp-image-2354\" width=\"732\" height=\"173\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-4.png 917w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-4-300x71.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-4-768x182.png 768w\" sizes=\"(max-width: 732px) 100vw, 732px\" \/><figcaption>&#8220;CCleanerReactivator.exe&#8221; detections in VirusTotal<\/figcaption><\/figure><\/div>\n\n\n\n<p>The malicious activity will therefore be found in the<strong> CCleanerReactivator.dll<\/strong> and <strong>CCleanerDU.dll <\/strong>libraries, which will be loaded by the executable using the <strong>DLL Side-Load technique<\/strong>.<br>In the Imports of <strong>CCleanerReactivator.exe<\/strong> we can see how it loads only the library <strong>CCleanerReactivator.dll<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"926\" height=\"166\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-5.png\" alt=\"\" class=\"wp-image-2355\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-5.png 926w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-5-300x54.png 300w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-5-768x138.png 768w\" sizes=\"(max-width: 926px) 100vw, 926px\" \/><figcaption>&#8220;CCleanerReactivator.dll&#8221; imports<\/figcaption><\/figure><\/div>\n\n\n\n<p>When looking at the <strong><em>AutoReactivatorSDK::RunProgram<\/em> <\/strong>function of <strong>CCleanerReactivator.dll <\/strong>we can see that it only loads the other library<strong> CCleanerDU.dll<\/strong>, specifically the <strong><em>FreeInterface<\/em> <\/strong>function.<br>So <strong>CCleanerReactivator.dll <\/strong>only acts as a bridge and <strong>CCleanerDU.dll <\/strong>library is the one that will contain the malicious code in its <em>FreeInterface<\/em> function.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"722\" height=\"221\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-6.png\" alt=\"\" class=\"wp-image-2356\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-6.png 722w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-6-300x92.png 300w\" sizes=\"(max-width: 722px) 100vw, 722px\" \/><figcaption>&#8220;AutoReactivatorSDK::RunProgram&#8221; loading&#8221;CCleanerDU.dll&#8221;.<\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"block-02f9cb73-603e-4640-ad60-75e93cc71a67\">Stage2: CCleanerDu.dll<\/h1>\n\n\n\n<p>The first thing we find in the <strong><em>FreeInstance<\/em> <\/strong>function of <strong>CCleanerDu.dll<\/strong> is that it tries to load the <strong>wininet.dll<\/strong> library.<br>To do this, it reserves memory by directly using calls to <strong>NtAllocateVirtualMemory <\/strong>and <strong>NtProtectVirtualMemory<\/strong>. It then loads the library using the <strong>LdrLoad<\/strong> function of NTDLL.dll.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"563\" height=\"465\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-7.png\" alt=\"\" class=\"wp-image-2358\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-7.png 563w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-7-300x248.png 300w\" sizes=\"(max-width: 563px) 100vw, 563px\" \/><figcaption>Getting &#8220;wininet.dll&#8221;<\/figcaption><\/figure><\/div>\n\n\n\n<p>In case the library has been loaded correctly, it will start a function which we have named <em>C2_comm<\/em>. This Function will take care of the communication with the C2, for which it will load the following <strong>wininet.dll <\/strong>functions necessary to establish a connection:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>InternetOpenA<\/li><li>InternetConnectA<\/li><li>HttpOpenRequestA<\/li><li>HttpSendRequestA<\/li><li>InternetReadFile<\/li><li>InternetCloseHandle<\/li><\/ul>\n\n\n\n<p>After this, it will try to mount the request correctly. The responsible function is one we have named <strong><em>CreateRequest<\/em> <\/strong>, which does the following:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>It obtains the UserName and the ComputerName through calls to<strong> GetUserNameA<\/strong> and <strong>GetComputerNameExA<\/strong>. With these values and a series of modular operations it will extract a 4-digit number that will identify the victim.<\/li><\/ol>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"568\" height=\"184\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-8.png\" alt=\"\" class=\"wp-image-2361\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-8.png 568w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-8-300x97.png 300w\" sizes=\"(max-width: 568px) 100vw, 568px\" \/><\/figure><\/div>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"377\" height=\"266\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-9.png\" alt=\"\" class=\"wp-image-2362\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-9.png 377w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-9-300x212.png 300w\" sizes=\"(max-width: 377px) 100vw, 377px\" \/><figcaption>Create Victim ID<\/figcaption><\/figure><\/div>\n\n\n\n<p>2. The code goes on to list all the running processes, using <strong>CreateToolhelp32Snapshot<\/strong>, <strong>Process32First<\/strong> and <strong>Process32Next<\/strong>. This information will be buffered together with the UserName and ComputerName as follows.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"585\" height=\"540\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-10.png\" alt=\"\" class=\"wp-image-2363\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-10.png 585w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-10-300x277.png 300w\" sizes=\"(max-width: 585px) 100vw, 585px\" \/><figcaption>Exfiltration buffer<\/figcaption><\/figure><\/div>\n\n\n\n<p>3. Next, mount the path to which the connection will be made, which follows the following format:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>search\/s.php?i=1&amp;id=APOX8NWOV4{4_DIGITS_VICTIM_ID}<\/code><\/pre>\n\n\n\n<p>4. With the request created, it will perform a PUT registering the victim in the C2 <strong>kefas[.]id<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"57\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-11.png\" alt=\"\" class=\"wp-image-2365\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-11.png 526w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-11-300x33.png 300w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><figcaption><em>PUT <\/em>Request<\/figcaption><\/figure><\/div>\n\n\n\n<p>5. The last step is to check the server response, which will be successful if it receives &#8220;<strong>KKEE<\/strong>&#8220;.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"526\" height=\"84\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-12.png\" alt=\"\" class=\"wp-image-2368\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-12.png 526w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-12-300x48.png 300w\" sizes=\"(max-width: 526px) 100vw, 526px\" \/><figcaption>Check &#8220;KKEE&#8221; response<\/figcaption><\/figure><\/div>\n\n\n\n<p>At the end of the <strong><em>CreateRequest<\/em> <\/strong>function, it makes another connection and if successful performs a GET of the next stage of infection. This payload starts again with &#8220;KKEE&#8221;, which it checks to see if the communication was successful. If successful it returns the payload (without the &#8220;KKEE&#8221;), otherwise it suspends execution by calling <strong>NtDelayExecution<\/strong>.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"472\" height=\"271\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-13.png\" alt=\"\" class=\"wp-image-2369\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-13.png 472w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-13-300x172.png 300w\" sizes=\"(max-width: 472px) 100vw, 472px\" \/><figcaption>GET <em>Request<\/em><\/figcaption><\/figure><\/div>\n\n\n\n<p>Finally, it reserves memory again with <strong>NtAllocateVirtualMemory<\/strong> and <strong>NtProtectVirtualMemory<\/strong> and creates an execution thread with <strong>CreateFiber<\/strong> that will be in charge of launching the execution of the next stage. A fiber is a much lighter execution unit than a thread since it is not managed by the CPU but by the program itself.<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"566\" height=\"97\" src=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-15.png\" alt=\"\" class=\"wp-image-2372\" srcset=\"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-15.png 566w, https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/imagen-15-300x51.png 300w\" sizes=\"(max-width: 566px) 100vw, 566px\" \/><figcaption>CreateFiber function<\/figcaption><\/figure><\/div>\n\n\n\n<h1 class=\"wp-block-heading\" id=\"block-df4d6313-3e7c-4514-b01d-5e01a9c4643d\">C2 Communications<\/h1>\n\n\n\n<p>It is interesting to note that communication with C2 has changed significantly since previous campaigns. Previously, registration with C2 was done with a POST of an encrypted JSON with the UserName and ComputerName.<\/p>\n\n\n\n<p>In this new iteration, victim IDs in C2 have been simplified to 4 digits. In addition, the next stage (shellcode) will be downloaded from C2 directly, instead of loading it locally.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<\/h2>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-flow wp-block-group-is-layout-flow\">\n<figure class=\"wp-block-table aligncenter is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">File <\/th><th class=\"has-text-align-center\" data-align=\"center\">Sha256<\/th><\/tr><\/thead><tbody><tr><td>Invitation &#8211; Santa Lucia Celebration.msg<\/td><td class=\"has-text-align-center\" data-align=\"center\">966E070A52DE1C51976F6EA1FC48EC77F6B89F4BF5E5007650755E9CD0D73281<\/td><\/tr><tr><td>Invitation.svg<\/td><td class=\"has-text-align-center\" data-align=\"center\">4875A9C4AF3044DB281C5DC02E5386C77F331E3B92E5AE79FF9961D8CD1F7C4F<\/td><\/tr><tr><td>Invitation.iso<\/td><td class=\"has-text-align-center\" data-align=\"center\">AF1922C665E9BE6B29A5E3D0D3AC5916AE1FC74AC2FE9931E5273F3C4043F395<\/td><\/tr><tr><td>Invitation.lnk<\/td><td class=\"has-text-align-center\" data-align=\"center\">A8AE10B43CBF4E3344E0184B33A699B19A29866BC1E41201ACE1A995E8CA3149<\/td><\/tr><tr><td>CCleanerReactivator.exe<\/td><td class=\"has-text-align-center\" data-align=\"center\">59E5B2A7A3903E4FB9A23174B655ADB75EB490625DDB126EF29446E47DE4099F<\/td><\/tr><tr><td>CCleanerDU.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">D7BDA5E39327FE12B0C1F42C8E27787F177A352F8EEBAFBE35D3E790724ECEFF<\/td><\/tr><tr><td>CCleanerReactivator.dll<\/td><td class=\"has-text-align-center\" data-align=\"center\">7FC9E830756E23AA4B050F4CEAEB2A83CD71CFC0145392A0BC03037AF373066B<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div><\/div>\n<\/div><\/div>\n\n\n\n<figure class=\"wp-block-table is-style-regular\"><table><thead><tr><th class=\"has-text-align-center\" data-align=\"center\">C2 <\/th><\/tr><\/thead><tbody><tr><td class=\"has-text-align-center\" data-align=\"center\">hxxps:\/\/kefas[.]id\/search\/s.php<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Last month of May we were talking about the new APT29 campaign that we called &#8220;Information&#8221;. Recently, just a week ago, an unknown actor used similar techniques to APT29. This time APT29 is once again the focus after new techniques were identified in their operations. This post details the new techniques observed, in particular: SVG [&hellip;]<\/p>\n","protected":false},"author":20,"featured_media":2394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[21,1],"tags":[66,68,69,44,8,67],"class_list":{"0":"post-2344","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-apt","8":"category-uncategorised","9":"tag-apt29","10":"tag-ccleaner","11":"tag-dllside-load","12":"tag-phishing","13":"tag-russia","14":"tag-svg","15":"entry"},"featured_image_src":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/Image20230712114555-600x400.jpg","featured_image_src_square":"https:\/\/lab52.io\/blog\/wp-content\/uploads\/2023\/07\/Image20230712114555-600x600.jpg","author_info":{"display_name":"Er1c_C","author_link":"https:\/\/lab52.io\/blog\/author\/er1c_c\/"},"_links":{"self":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2344"}],"collection":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/users\/20"}],"replies":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/comments?post=2344"}],"version-history":[{"count":20,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2344\/revisions"}],"predecessor-version":[{"id":2392,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/posts\/2344\/revisions\/2392"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media\/2394"}],"wp:attachment":[{"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/media?parent=2344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/categories?post=2344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab52.io\/blog\/wp-json\/wp\/v2\/tags?post=2344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}