APT28 Cyber Threat Group Expands Phishing Campaigns Globally

March 18, 2024

APT28, a cyber threat group associated with Russia, has been identified as the perpetrator of multiple, ongoing phishing campaigns. These campaigns utilize documents that mimic those of governmental and non-governmental organizations in Europe, the South Caucasus, Central Asia, and North and South America. According to a report published by IBM X-Force, the documents used in these schemes include a combination of internal, publicly available, and possibly actor-generated documents related to finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, business, and defense industrial production.

IBM X-Force is monitoring this activity under the codename ITG05. This group, also known by several other names including Fancy Bear and Pawn Storm, was observed using decoys related to the Israel-Hamas conflict to deliver a custom backdoor called HeadLace over three months ago. Since then, APT28 has also targeted Ukrainian government entities and Polish organizations with phishing emails designed to deploy custom implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK.

Some of the group's campaigns have involved exploiting security vulnerabilities in Microsoft Outlook (CVE-2023-23397) to steal NT LAN Manager (NTLM) v2 hashes. This suggests the possibility that the group may exploit other security weaknesses to exfiltrate NTLMv2 hashes for use in relay attacks. The most recent campaigns, observed by IBM X-Force between late November 2023 and February 2024, have used the 'search-ms:' URI protocol handler in Microsoft Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.

There is evidence to suggest that both the WebDAV servers and the MASEPIE C2 servers may be hosted on compromised Ubiquiti routers, a botnet of which was dismantled by the U.S. government last month. The phishing attacks imitate entities from several countries including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., using a blend of authentic, publicly available government and non-government documents to trigger the infection chains.

According to security researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr, ITG05 has updated its methods, now using the freely available hosting provider, firstcloudit[.]com, to stage payloads for ongoing operations. The culmination of APT28's complex scheme results in the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, execute arbitrary commands, and steal browser data. OCEANMAP has been described as a more capable version of CredoMap, another backdoor previously identified as being used by the group.

The researchers concluded that 'ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities.'

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.