In response to the recent attacks by APT29, the FBI and Department of Justice have seized two domains that were linked to spearphishing campaigns. According to Microsoft, the actors included a modified HTML document to embed an ISO file and, when the ISO was mounted, varied to include an RTF document or an LNK file which would both execute the CobaltStrike Beacon. APT29 is attributed to the Russian Federation’s SVR and was also named by government agencies and private security firms as the group responsible for the SolarWinds supply-chain attacks in 2020.
The details included in the Microsoft and Volexity blogs offer a trove of information to develop detections and ideas for further detections based on highly unusual behavior. ISO’s being written and mounted on non-IT workstations and servers can be highly unusual and may be a good behavior-based alarm if it is not seen often. It is always encouraged to gather logs from endpoints, both workstations and servers, to gain insight into what files are being written by Outlook or Web browsers. Furthermore, long-term storage can be invaluable and needed if investigations are reevaluated in the future.