The Pc Emergency Response Crew of Ukraine (CERT-UA) has warned of a brand new phishing marketing campaign orchestrated by the Russia-linked APT28 group to deploy beforehand undocumented malware equivalent to OCEANMAP, MASEPIE, and STEELHOOK to reap delicate info.
The exercise, which was detected by the company between December 15 and 25, 2023, targets authorities entities with e mail messages urging recipients to click on on a hyperlink to view a doc.
From USER to ADMIN: Be taught How Hackers Acquire Full Management
Uncover the key ways hackers use to grow to be admins, methods to detect and block it earlier than it is too late. Register for our webinar right now.
Nevertheless, on the contrary, the hyperlinks redirect to malicious net sources that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Home windows shortcut file (LNK) that launches PowerShell instructions to activate an an infection chain for a brand new malware referred to as MASEPIE.
MASEPIE is a Python-based instrument to obtain/add recordsdata and execute instructions, with communications with the command-and-control (C2) server happening over an encrypted channel utilizing the TCP protocol.
The assaults additional pave the way in which for the deployment of further malware, together with a PowerShell script referred to as STEELHOOK that is able to harvesting net browser knowledge and exporting it to an actor-controlled server in Base64-encoded format.
Additionally delivered is a C#-based backdoor dubbed OCEANMAP that is designed to execute instructions utilizing cmd.exe.
“The IMAP protocol is used as a management channel,” CERT-UA mentioned, including persistence is achieved by making a URL file named “VMSearch.url” within the Home windows Startup folder.
“Instructions, in Base64-encoded type, are contained within the ‘Drafts’ of the corresponding e mail directories; every of the drafts incorporates the identify of the pc, the identify of the person and the model of the OS. The outcomes of the instructions are saved within the inbox listing.”
The company additional identified that reconnaissance and lateral motion actions are carried out inside an hour of the preliminary compromise by profiting from instruments like Impacket and SMBExec.
The disclosure comes weeks after IBM X-Pressure revealed APT28’s use of lures associated to the continuing Israel-Hamas battle to facilitate the supply of a customized backdoor referred to as HeadLace.
In latest weeks, the prolific Kremlin-backed hacking group has additionally been attributed to the exploitation of a now-patched essential safety flaw in its Outlook e mail service (CVE-2023-23397, CVSS rating: 9.8) to realize unauthorized entry to victims’ accounts inside Alternate servers.
