Rootsaw

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which execute the JavaScript-based dropper Rootsaw. In some instances, Rootsaw has been delivered alongside WINELOADER malware, a backdoor that is also transmitted through phishing emails. These phishing campaigns have primarily targeted Germany and Ukraine, among other locations. Since 2021, APT29 has evolved its tactics, techniques, and procedures (TTPs) to meet new objectives. Traditionally, Rootsaw was delivered as a zip file attachment disguised as a malware dropper. However, recent changes have seen Rootsaw contained within a PDF document for the first time. This adaptation suggests an increase in the group's workload and a shift in their strategies to maintain effectiveness. One such tactic includes HTML smuggling, a method of delivering malicious HTML attachments that has seen a significant upswing amid heavy employee browser usage. In one particular instance, a ZIP file containing the ROOTSAW dropper was used to deploy a second-stage lure document themed around the CDU, along with a WINELOADER payload retrieved from a specific URL. Victims were directed to a malicious ZIP file containing a "Rootsaw" dropper hosted on an actor-controlled compromised website. Despite these changes in delivery methods, Rootsaw remains the central component of APT29's initial access efforts, demonstrating its persistent threat to cybersecurity.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
EnvyScout
1
EnvyScout is a sophisticated malware used primarily by the threat actor group NOBELIUM, also known as APT29 or Cozy Bear. This malware, tracked by Microsoft and alternatively referred to as Rootsaw, is delivered via spear-phishing emails, often disguised with seemingly harmless attachments such as t
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dropper
Payload
Mandiant
Remcos
Malware
Ukraine
Phishing
Backdoor
State Sponso...
Malware Drop...
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SpicaUnspecified
1
Spica is a custom malware developed and utilized by the threat group known as Coldriver. The backdoor software, Spica, was first identified by Google's Threat Analysis Group (TAG), which has been tracking its use since as early as September of the previous year. The malware appears to be used in hig
RomComUnspecified
1
RomCom is a type of malware, specifically a Remote Access Trojan (RAT), that has been linked to several cyber-attacks across Europe and North America. It was first identified in spring 2022, when third-party and open-source reports highlighted a potential connection between Cuba ransomware actors, R
RhadamanthysUnspecified
1
Rhadamanthys is a type of malware that has been identified as a significant threat to computer systems. This malicious software, designed to exploit and damage computers or devices, can infiltrate systems through suspicious downloads, emails, or websites. Once it gains access, Rhadamanthys can steal
SmokeloaderUnspecified
1
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT29Unspecified
3
APT29, also known as Cozy Bear, SVR group, BlueBravo, Nobelium, Midnight Blizzard, and The Dukes, is a threat actor linked to Russia. This group is notorious for its malicious activities in the cybersecurity realm, executing actions with harmful intent. It has been associated with several high-profi
APT28Unspecified
1
APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Apt44Unspecified
1
APT44, previously known as Sandworm, is a Russian military intelligence hacking team newly designated by Mandiant. The group has been active in conducting campaigns leveraging Sandworm malware since the start of 2023, primarily targeting Ukraine, Eastern Europe, and investigative journalists. APT44'
TurlaUnspecified
1
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Winter VivernUnspecified
1
Winter Vivern is a threat actor group that has recently been active in the cybersecurity landscape. This group, which is believed to align with the interests of Belarus, has been involved in a series of malicious activities targeting different entities. They have notably exploited a zero-day vulnera
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Gossamer BearUnspecified
1
Gossamer Bear, also known as Callisto, Blue Callisto, BlueCharlie (or TAG-53), Calisto, Star Blizzard (formerly SEABORGIUM), TA446, and UNC4057, is a significant threat actor that has been active since 2019. The group primarily focuses on credential harvesting and conducts hack-and-leak campaigns ta
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rootsaw Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Flashpoint
2 months ago
Evolving Tactics: How Russian APT Groups Are Shaping Cyber Threats in 2024
CERT-EU
10 months ago
Russia’s APT29 intensifies espionage operations
Securityaffairs
4 months ago
Russia-linked APT29 targeted German political parties with WINELOADER backdoor
BankInfoSecurity
4 months ago
Russian Nation-State Hacker Targets German Political Parties
InfoSecurity-magazine
4 months ago
Russian APT29 Group Targets German Politicians