Rootsaw

Malware updated 5 months ago (2024-05-23T16:17:28.519Z)
Download STIX
Preview STIX
Rootsaw, also known as EnvyScout, is a first-stage payload malware extensively used by state-sponsored group APT29 for their initial access efforts in collecting foreign political intelligence. The malware is typically deployed via phishing emails with HTML file attachments or .HTA files, which execute the JavaScript-based dropper Rootsaw. In some instances, Rootsaw has been delivered alongside WINELOADER malware, a backdoor that is also transmitted through phishing emails. These phishing campaigns have primarily targeted Germany and Ukraine, among other locations. Since 2021, APT29 has evolved its tactics, techniques, and procedures (TTPs) to meet new objectives. Traditionally, Rootsaw was delivered as a zip file attachment disguised as a malware dropper. However, recent changes have seen Rootsaw contained within a PDF document for the first time. This adaptation suggests an increase in the group's workload and a shift in their strategies to maintain effectiveness. One such tactic includes HTML smuggling, a method of delivering malicious HTML attachments that has seen a significant upswing amid heavy employee browser usage. In one particular instance, a ZIP file containing the ROOTSAW dropper was used to deploy a second-stage lure document themed around the CDU, along with a WINELOADER payload retrieved from a specific URL. Victims were directed to a malicious ZIP file containing a "Rootsaw" dropper hosted on an actor-controlled compromised website. Despite these changes in delivery methods, Rootsaw remains the central component of APT29's initial access efforts, demonstrating its persistent threat to cybersecurity.
Description last updated: 2024-05-23T15:17:53.679Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Dropper
Mandiant
Payload
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT29 Threat Actor is associated with Rootsaw. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised Unspecified
3
Source Document References
Information about the Rootsaw Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more