Full Report
an image of a blue square with the embedded text "Google" and "Threat Analysis Group"
Analysis Summary
# Threat Actor: APT29 (Suspected Link)
## Attribution & Identity
* **Identification:** Assessed with moderate confidence to be linked to the **Russian government-backed actor APT29**.
* **Aliases/Associations:** The actor is noted for using exploits strikingly similar or identical to those previously used by Commercial Surveillance Vendors (CSVs) like **Intellexa** and **NSO Group**.
## Activity Summary
In-the-wild exploit campaigns were observed between **November 2023 and July 2024**, delivered via watering hole attacks targeting Mongolian government websites.
* **November 2023 & February 2024:** Campaigns targeted iOS users running versions older than 16.6.1 using the **CVE-2023-41993** WebKit exploit. This campaign delivered the same cookie stealer framework previously observed in a suspected APT29 campaign in 2021.
* **July 2024:** A campaign targeted Android users running Chrome versions m121 to m123 using an exploit chain targeting **CVE-2024-5274** and **CVE-2024-4671** to deploy an information-stealing payload.
## Tactics, Techniques & Procedures
* **Delivery Mechanism:** **Watering Hole Attack** targeting official government websites.
* **Exploitation (iOS - Nov/Feb):** Used n-day exploit **CVE-2023-41993** (WebKit). This involved a reconnaissance payload to profile the device (model, screen size, etc.) followed by deployment of the exploit payload via an AES-encrypted stage. The exploit framework included custom MachO loader/parser and PAC/JIT cage bypasses.
* **Exploitation (Android - July):** Used an exploit chain targeting **CVE-2024-5274** and **CVE-2024-4671** (Chrome).
* **Payloads:**
* Cookie stealer framework (**COOKIESNATCH** mentioned for iOS).
* Chrome information stealing payload (**ANDROSNATCH** mentioned for Android).
* **Reconnaissance:** Profiling framework using a drawing canvas to identify the target’s exact iPhone model.
* **Persistence/Evasion:** Utilized techniques (like Site Isolation protection on Chrome) that required chaining an additional sandbox escape to fully exfiltrate cookies from other websites.
## Targeting
* **Sectors:** Government.
* **Geography:** Mongolia.
* **Victims:** Mongolian government websites: `cabinet.gov[.]mn` and `mfa.gov[.]mn`. Specific targets included webmail sessions at `webmail.mfa.gov[.]mn/owa/auth`.
## Tools & Infrastructure
* **Malware Families/Modules:**
* iOS Reconnaissance Payload (**VALIDVICTOR**)
* iOS Cookie Stealer Module (**COOKIESNATCH**)
* Chrome Reconnaissance Payload
* Chrome Cookie Stealer Payload (**ANDROSNATCH**)
* **Infrastructure (C2/Domains):**
* `track-adv[.]com` (used for initial iframe/attack)
* `ceo-adviser[.]com` (used in later iterations)
* Specific URLs observed:
* `hxxps://track-adv[.]com/market-analytics.php?pc=1`
* `hxxps://ceo-adviser[.]com/fb-connect.php?online=1`
* `hxxps://track-adv[.]com/analytics.php?personalization_id=`
## Implications
The campaigns demonstrate a convergence between state-sponsored actors (APT29) and the tools developed by Commercial Surveillance Vendors (CSVs) like Intellexa and NSO, suggesting proliferation or shared development/sourcing of sophisticated exploits. The continued utility of watering hole attacks targeting unpatched N-day vulnerabilities, even for sophisticated actors, remains a significant threat, particularly against mobile endpoints.
## Mitigations
* **Patch Management:** Organizations must prioritize timely application of available software patches for operating systems (iOS) and browsers (Chrome) to defend against N-day exploits.
* **Device Protection:** Enable **Lockdown Mode** on iOS devices where appropriate, as it blocked the WebKit exploit observed.
* **Browser Security:** Utilize modern browser protections like Chrome's **Site Isolation**, although it is noted that sophisticated actors can chain further vulnerabilities (sandbox escapes) to defeat these measures.
* **Web Security:** Organizations should audit their public-facing websites for unauthorized code injection indicating watering hole compromise.