Fancy Bear’s Used Car Scam: Diplomatic Phishing Lure Unveiled

Russian threat actor Fighting Ursa is back, this time using a fake Audi Q7 ad to lure diplomats into malware traps. This campaign, targeting diplomats since March 2024, showcases their knack for recycling old tactics and exploiting known vulnerabilities.

1P
Published: August 2, 2024 10:47 amAdded: August 2, 2024 at 3:56 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Who knew car shopping could be so dangerous? Just when you thought you might score a sweet diplomatic deal on an Audi Q7, BAM! You’re hit with a heaping dose of Russian malware. In the digital world, even car salesmen can’t be trusted!

Key Points:

  • Fighting Ursa (aka Fancy Bear, APT28, Sofacy) is back with a new phishing campaign targeting diplomats.
  • Phishing lure: A fake car advertisement for an Audi Q7 hosted on legitimate services like Webhook.site and ImgBB.
  • Malware involved: HeadLace backdoor, delivered via a ZIP archive containing a malicious .jpg.exe file.
  • Attack chain: Starts with checking if the visitor’s system is Windows-based and ends with a batch file executing hidden commands.
  • Attribution: Medium to high confidence that Fighting Ursa is behind the attack, given their known tactics and malware.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?