Rootsaw

Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which execute the JavaScript-based dropper Rootsaw. In some instances, Rootsaw has been delivered alongside WINELOADER malware, a backdoor that is also transmitted through phishing emails. These phishing campaigns have primarily targeted Germany and Ukraine, among other locations. Since 2021, APT29 has evolved its tactics, techniques, and procedures (TTPs) to meet new objectives. Traditionally, Rootsaw was delivered as a zip file attachment disguised as a malware dropper. However, recent changes have seen Rootsaw contained within a PDF document for the first time. This adaptation suggests an increase in the group's workload and a shift in their strategies to maintain effectiveness. One such tactic includes HTML smuggling, a method of delivering malicious HTML attachments that has seen a significant upswing amid heavy employee browser usage. In one particular instance, a ZIP file containing the ROOTSAW dropper was used to deploy a second-stage lure document themed around the CDU, along with a WINELOADER payload retrieved from a specific URL. Victims were directed to a malicious ZIP file containing a "Rootsaw" dropper hosted on an actor-controlled compromised website. Despite these changes in delivery methods, Rootsaw remains the central component of APT29's initial access efforts, demonstrating its persistent threat to cybersecurity.