APT28 Cyber Threat Group Expands Phishing Campaigns Globally

March 18, 2024

APT28, a cyber threat group associated with Russia, has been identified as the perpetrator of multiple, ongoing phishing campaigns. These campaigns utilize documents that mimic those of governmental and non-governmental organizations in Europe, the South Caucasus, Central Asia, and North and South America. According to a report published by IBM X-Force, the documents used in these schemes include a combination of internal, publicly available, and possibly actor-generated documents related to finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, business, and defense industrial production.

IBM X-Force is monitoring this activity under the codename ITG05. This group, also known by several other names including Fancy Bear and Pawn Storm, was observed using decoys related to the Israel-Hamas conflict to deliver a custom backdoor called HeadLace over three months ago. Since then, APT28 has also targeted Ukrainian government entities and Polish organizations with phishing emails designed to deploy custom implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Some of the group's campaigns have involved exploiting security vulnerabilities in Microsoft Outlook (CVE-2023-23397) to steal NT LAN Manager (NTLM) v2 hashes. This suggests the possibility that the group may exploit other security weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks. The most recent campaigns, observed by IBM X-Force between late November 2023 and February 2024, have used the 'search-ms:' URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers and the MASEPIE C2 servers may be hosted on compromised Ubiquiti routers, a botnet of which was dismantled by the U.S. government last month. The phishing attacks imitate entities from several countries including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., using a blend of authentic, publicly available government and non-government documents to trigger the infection chains.

According to security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr, ITG05 has updated its methods, now using the freely available hosting provider, firstcloudit[.]com, to stage payloads for ongoing operations. The culmination of APT28's complex scheme results in the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, execute arbitrary commands, and steal browser data. OCEANMAP has been described as a more capable version of CredoMap, another backdoor previously identified as being used by the group.

The researchers concluded that 'ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities.'

Related News

• APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations
• Russian APT28 Hackers Launch NTLM Relay Attacks on High-Value Global Targets
• APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA
• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation
• Emerging Details on Zero-Click Outlook Remote Code Execution Exploits

Latest News

• Critical Remote Code Execution Vulnerability in Fortinet Patched
• DarkGate Malware Campaign Exploits Recently Patched Microsoft Vulnerability in Zero-Day Attack
• Fortinet Addresses Critical Vulnerabilities in FortiOS, FortiProxy, and FortiClientEMS
• Microsoft's March 2024 Patch Tuesday Addresses 60 Vulnerabilities, Including 18 RCE Bugs
• CISA Systems Compromised Through Ivanti Vulnerabilities, Prompting System Shutdown