Ukraine’s Pc Emergency Response Crew (CERT) is warning of a brand new phishing marketing campaign that allowed Russia-linked hackers to deploy beforehand unseen malware on a community in beneath one hour.
APT28, aka Fancy Bear or Strontium, is a Russian state-sponsored risk actor recognized for concentrating on authorities entities, companies, universities, analysis institutes, and assume tanks in Western international locations and NATO orgs. The hacking group is thought to make use of phishing campaigns and exploit zero-day vulnerabilities in extensively used software program.
The most recent marketing campaign concentrating on Ukraine happened between December 15 and 25, 2023, using phishing emails urging recipients to click on on a hyperlink supposedly to view an necessary doc.
The hyperlinks redirect victims to malicious internet sources that make use of JavaScript to drop a Home windows shortcut file (LNK) that launches PowerShell instructions to set off an an infection chain for a brand new Python malware downloader known as ‘MASEPIE.’
MASEPIE establishes persistence on the contaminated machine by modifying the Home windows Registry and including a deceptively named LNK file (‘SystemUpdate.lnk’) to the Home windows Startup folder.
CERT-UA says the malware’s major position is to obtain further malware on the contaminated machine and steal knowledge.
The Ukrainian CERT says APT28 additionally makes use of a set of PowerShell scripts named ‘STEELHOOK’ to steal knowledge from Chrome-based internet browsers, prone to extract delicate info like passwords, authentication cookies, and searching historical past.
One other instrument used as a part of the assault is the ‘OCEANMAP,’ a C# backdoor used primarily for executing base64-encoded instructions by way of cmd.exe.
OCEANMAP establishes persistence on the system by making a .URL file named ‘VMSearch.url’ within the Home windows Startup folder.
OCEANMAP makes use of the Web Message Entry Protocol (IMAP) as a management channel to obtain instructions discreetly which are unlikely to lift alarms, storing them as electronic mail drafts containing the command, username, and OS model.
After executing the instructions, OCEANMAP shops the leads to the inbox listing, permitting APT28 to stealthily retrieve the outcomes and modify their assault if wanted.
Different instruments deployed within the assaults for community reconnaissance and lateral motion embody IMPACKET, a group of Python lessons for working with community protocols, and SMBEXEC, which allows distant command execution.
Ukraine’s CERT says these instruments are deployed in compromised programs inside an hour from the preliminary compromise, indicating a fast and well-coordinated assault.