← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
WHITE APT29 AlienVault 2021-05-27 Modified: 2021-07-02
226
IOCs
HIGH VOLUME
Volexity, a security firm, has identified and identified a phishing campaign targeting government agencies across the United States and Europe that is believed to be related to APT29.
cobaltstrikeapt29dark halolnk fileusaideuropemalwareNOBELIUM
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
CobaltStrike FreshFire
Indicators of Compromise (3 / 226 total)
All hostname FileHash-MD5 FileHash-SHA256 FileHash-SHA1 domain URL YARA
TYPEINDICATORDESCRIPTIONCREATED
YARA a54d9baa2929197c6bbc828abd96b33e9ec7e918 A loader for the CobaltStrike malware family, which ultimately takes the first and second bytes of an embedded file, and flips them prior to executing the resulting payload. 2021-05-27
YARA bd79a22dcd2964cb3fe78dbdf516d61462b99aac The CobaltStrike malware family. 2021-05-27
YARA 3435d5027db8240893231d071180ca8bcd5a296f The FRESHFIRE malware family. The malware acts as a downloader, pulling down an encrypted snippet of code from a remote source, executing it, and deleting it from the remote server. 2021-05-27
References (5)
↗ https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/ ↗ https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/ ↗ https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a ↗ https://us-cert.cisa.gov/ncas/alerts/aa21-148a ↗ https://github.com/microsoft/mstic/blob/master/Indicators/May21-NOBELIUM/May21NOBELIUMIoCs.csv