Executive Summary

Microsoft has identified a new campaign by Seashell Blizzard, a subgroup of the notorious Russian GRU threat actor Sandworm (also known as APT28). This campaign targets critical infrastructure sectors in Ukraine and other European nations with the goal of espionage and establishing long-term persistent access. The attackers use phishing emails to deliver a multi-stage malware infection chain, culminating in the deployment of a custom backdoor named ShroudDoor. This activity underscores the continued focus of Russian state-sponsored actors on disruptive and intelligence-gathering operations against key European industries.

Threat Overview

The campaign demonstrates a refined approach to gaining initial access and maintaining persistence within target networks.

Attack Chain

1. Initial Access: The attack begins with a Spearphishing Attachment (T1566.001). The attackers send phishing emails containing malicious XLL (Excel Add-in) file attachments.
2. Execution: When a victim opens the XLL file and enables content, it executes embedded code. The file uses ExcelDNA, a legitimate framework for creating .NET add-ins for Excel, to run its malicious logic.
3. Downloader Deployment: The initial payload is a custom downloader malware named CheapShot. Its primary function is to establish a connection with an attacker-controlled server.
4. Backdoor Installation: CheapShot downloads and executes the main payload, a backdoor named ShroudDoor. This backdoor provides the attackers with persistent, remote access to the compromised system, allowing them to execute commands, exfiltrate data, and deploy further tools.

Technical Analysis

• Malware: The malware used in this campaign is custom-developed, indicating a well-resourced actor.
  • CheapShot: A lightweight downloader designed to be the first-stage payload. Its simplicity helps it evade initial detection.
  • ShroudDoor: A more full-featured backdoor that provides stealthy and persistent access. Its capabilities likely include command execution, file system manipulation, and data exfiltration.
• Targeting: The campaign is highly targeted, focusing on sectors of strategic importance to Russia:
  • Agriculture
  • Defense
  • Transportation
  • Manufacturing

This activity is part of a broader threat landscape. Researchers also noted parallel campaigns by other actors, such as Lunar Spider targeting European financial institutions with the Latrodectus loader, highlighting a complex and active environment of state-sponsored and cybercrime operations in Europe.

Impact Assessment

A successful compromise by Seashell Blizzard could have severe consequences for the targeted organizations and nations.

• Espionage: The primary goal appears to be intelligence gathering. Attackers can steal sensitive information related to defense contracts, transportation logistics, and critical manufacturing processes.
• Disruptive Operations: Sandworm is known for its disruptive and destructive attacks (e.g., NotPetya, Ukrainian power grid attacks). The persistence gained via ShroudDoor could be used to preposition for future disruptive or destructive cyberattacks.
• Long-Term Access: Establishing a stealthy foothold allows the threat actor to maintain access for months or years, continuously monitoring activity and exfiltrating data.

Detection & Response

• Email Security: Configure email gateways to block or quarantine XLL attachments, as they are a high-risk file type rarely used for legitimate business.
• Endpoint Detection (EDR): Monitor for Excel.exe spawning suspicious child processes, such as cmd.exe, powershell.exe, or making outbound network connections. This is a key indicator of malicious add-in execution. Use D3FEND's Process Analysis (D3-PA).
• Network Monitoring: Analyze outbound network traffic for C2 communications. Look for connections to unknown or newly registered domains. Egress filtering can block these connections. D3FEND's Outbound Traffic Filtering (D3-OTF) is a critical control.
• Threat Hunting: Proactively hunt for the presence of CheapShot or ShroudDoor by searching for associated file names, hashes, or network indicators provided by threat intelligence services.

Mitigation

• User Training: Train employees, especially those in targeted sectors, to identify and report phishing attempts. Emphasize the danger of opening attachments from unknown senders and enabling content in Microsoft Office files. This maps to User Training (M1017).
• Attack Surface Reduction: Disable or restrict the use of Excel Add-ins (XLL files) via Group Policy where they are not required for business operations. This is a form of Application Configuration Hardening (D3-ACH).
• Application Control: Use application allowlisting solutions to prevent the execution of unauthorized executables, including the CheapShot and ShroudDoor malware. This aligns with Executable Allowlisting (D3-EAL).
• Network Segmentation: Segment critical networks (e.g., defense, manufacturing OT) from the general corporate IT network to prevent attackers from moving laterally after an initial compromise.