FacebookTwitterLinkedIn

WhatsApp Abused To Target High-Value Diplomats

Karolis Liucveikis Written by on

In mid-November 2024, Microsoft Threat Intelligence observed a Russian-speaking threat actor, tracked by Microsoft as Star Blizzard, abusing WhatsApp to supplement spear-phishing tactics that target high-value diplomats. As a phishing delivery vehicle, WhatsApp changes the threat actor's long-standing techniques and tactics.

WhatsApp Abused To Target High-Value Diplomats

The abuse of WhatsApp is done primarily to compromise accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations.

The attack begins with Star Blizzard impersonating a U.S. government official in email messages to the target. The lure is an invitation to join a WhatsApp group related to non-governmental initiatives supporting Ukraine. The email contains a purposefully broken QR code.

This is done in an attempt to force a reply from the recipient, hopefully requesting an alternative link. Should the victim respond, Star Blizzard sends another email with a 't.ly' short link, which directs them to a fake webpage that mimics a legitimate WhatsApp invitation page with a new QR code.

The new QR code, rather than doing as advertised by linking the victim to the group, links the victim's device to a WhatsApp account to the attacker. This allows the threat actor access to the victim's WhatsApp account and the messages.

The threat actor can exfiltrate this data using existing browser plugins designed to export WhatsApp messages from an account accessed via WhatsApp Web. Researchers further noted,

While this campaign was limited and appeared to have terminated at the end of November, it nevertheless marked a break in long-standing Star Blizzard TTPs and highlighted the threat actor’s tenacity in continuing spear-phishing campaigns to gain access to sensitive information even in the face of repeated degradations of their operations.

As the attack relies on no malware and is purely driven by social engineering tactics, users should be wary of unsolicited communications and exercise extra caution when receiving invitations to join groups. Further mitigation advice was provided by researchers, saying,

Microsoft Threat Intelligence recommends that all email users belonging to sectors that Star Blizzard typically targets always remain vigilant when dealing with email, especially emails containing links to external resources. These targets are most commonly related to:

 

  • Government or diplomacy (incumbent and former position holders)
  • Research into defense policy or international relations when related to Russia
  • Assistance to Ukraine related to the ongoing conflict with Russia

The Rise of Star Blizzard

Initially tracked as SEABORGIUM by Microsoft back in 2022, the threat actors' operations and tactics were summarized by campaigns targeting over 30 organizations and personal accounts of people of interest.

SEABORGIUM, now Star Blizzard, primarily targeted NATO countries, particularly the U.S. and the UK, with occasional targeting of other countries in the Baltics, the Nordics, and Eastern Europe. Such targeting has included the government sector of Ukraine in the months leading up to the invasion by Russia and organizations involved in supporting roles for the war in Ukraine.

Despite some targeting of these organizations, Microsoft assessed that Ukraine is likely not a primary focus for this actor; however, it is most likely a reactive focus area due to the invasion and one of many diverse targets.

By 2024, security researchers were able to pin down some of Star Blizzard's favored tactics by analyzing previous campaigns. Excluding the addition of WhatsApp, the group is known to use multiple registrars to register domain infrastructure, multiple link-shortening services, and legitimate websites with open redirects to hide actor-registered domains. They also used altered legitimate email templates as spear-phishing lures.

Star Blizzard initially used NameCheap as their favored domain provider until 2024. Then, the threat actor began using multiple domain registrars, including Hostinger, RealTime Registrar, and GMO Internet.

As for link-shortening services, Microsoft observed in December 2023 that the threat actor used email marketing platforms to prevent the need to embed the actor-registered domains in their spear-phishing emails. This technique was abandoned in early 2024, with the threat actor transitioning first to hosting the initial redirector website on shared infrastructure.

Since August 2024, Star Blizzard has added multiple layers of redirection to their VPS infrastructure, utilizing various link-shortening services and legitimate websites that can be used as open redirectors.

Further, researchers stated,

For a brief period between July and August 2024, the threat actor utilized spear-phishing lures that did not contain or redirect to PDF lures embedded with links that redirected to actor-controlled infrastructure. Instead, Star Blizzard sent targets an altered OneDrive file share notification that included a clickable link to a malicious URL. When clicked, the link would initiate redirection to actor-controlled infrastructure. We observed Star Blizzard using this approach in spear-phishing attacks against its traditional espionage targets, including individuals associated with politics and diplomacy, NGOs, and think tanks.

The group also makes use of several other techniques to prevent detection; these include:

  • The use of server-side scripts to prevent automated scanning of actor-controlled infrastructure
  • The use of email marketing platform services to hide true email sender addresses and obviate the need for including actor-controlled domain infrastructure in email messages
  • The use of a DNS provider to obscure the IP addresses of actor-controlled virtual private server (VPS) infrastructure. Once notified, the DNS provider took action to mitigate actor-controlled domains abusing their service.
  • Password-protected PDF lures or links to cloud-based file-sharing platforms where PDF lures are hosted
  • Lastly, the threat actor has shifted to a more randomized domain generation algorithm (DGA) for actor-registered domains.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog