APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA

December 29, 2023

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about a new phishing operation run by the APT28 group, which is linked to Russia. This operation involves the deployment of previously unreported malware strains such as OCEANMAP, MASEPIE, and STEELHOOK, with the aim of gathering sensitive information.

The campaign was detected by CERT-UA between December 15 and 25, 2023, and targets government entities. The phishing emails encourage the recipients to click on a link to view a document. In reality, these links lead to malicious web resources that misuse JavaScript and the 'search-ms:' URI protocol handler to drop a Windows shortcut file (LNK) that initiates PowerShell commands. These commands then trigger an infection chain for a new malware named MASEPIE.

MASEPIE is a Python-based tool that is used to download and upload files and execute commands. It communicates with the command-and-control (C2) server over an encrypted channel using the TCP protocol. The attacks also set the stage for the deployment of additional malware, including a PowerShell script named STEELHOOK. STEELHOOK is capable of extracting web browser data and sending it to a server controlled by the actor in a Base64-encoded format.

Another malware delivered is a C#-based backdoor called OCEANMAP. It is designed to execute commands using cmd.exe. CERT-UA stated, 'The IMAP protocol is used as a control channel,' and added that persistence is achieved by creating a URL file named 'VMSearch.url' in the Windows Startup folder. The commands, in a Base64-encoded form, are stored in the 'Drafts' of the corresponding email directories. Each of these drafts contains the name of the computer, the user's name, and the version of the OS. The results of the commands are stored in the inbox directory.

CERT-UA further noted that within an hour of the initial compromise, reconnaissance and lateral movement activities are conducted using tools like Impacket and SMBExec. This revelation comes just weeks after IBM X-Force reported APT28's use of lures related to the ongoing Israel-Hamas conflict to facilitate the delivery of a custom backdoor named HeadLace.

In recent times, the prolific Kremlin-backed hacking group has also been linked to the exploitation of a now-fixed critical security vulnerability in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.