APT28 Phishing Campaign Deploying New Malware Uncovered by CERT-UA

December 29, 2023

The Ukrainian Computer Emergency Response Team (CERT-UA) has issued a warning about a new phishing operation run by the APT28 group, which is linked to Russia. This operation involves the deployment of previously unreported malware strains such as OCEANMAP, MASEPIE, and STEELHOOK, with the aim of gathering sensitive information.

The campaign was detected by CERT-UA between December 15 and 25, 2023, and targets government entities. The phishing emails encourage the recipients to click on a link to view a document. In reality, these links lead to malicious web resources that misuse JavaScript and the 'search-ms:' URI protocol handler to drop a Windows shortcut file (LNK) that initiates PowerShell commands. These commands then trigger an infection chain for a new malware named MASEPIE.

MASEPIE is a Python-based tool that is used to download and upload files and execute commands. It communicates with the command-and-control (C2) server over an encrypted channel using the TCP protocol. The attacks also set the stage for the deployment of additional malware, including a PowerShell script named STEELHOOK. STEELHOOK is capable of extracting web browser data and sending it to a server controlled by the actor in a Base64-encoded format.

Another malware delivered is a C#-based backdoor called OCEANMAP. It is designed to execute commands using cmd.exe. CERT-UA stated, 'The IMAP protocol is used as a control channel,' and added that persistence is achieved by creating a URL file named 'VMSearch.url' in the Windows Startup folder. The commands, in a Base64-encoded form, are stored in the 'Drafts' of the corresponding email directories. Each of these drafts contains the name of the computer, the user's name, and the version of the OS. The results of the commands are stored in the inbox directory.

CERT-UA further noted that within an hour of the initial compromise, reconnaissance and lateral movement activities are conducted using tools like Impacket and SMBExec. This revelation comes just weeks after IBM X-Force reported APT28's use of lures related to the ongoing Israel-Hamas conflict to facilitate the delivery of a custom backdoor named HeadLace.

In recent times, the prolific Kremlin-backed hacking group has also been linked to the exploitation of a now-fixed critical security vulnerability in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims' accounts within Exchange servers.

Related News

• Microsoft Outlook Zero-Click Security Flaws Triggered by Sound File Exploitation
• Emerging Details on Zero-Click Outlook Remote Code Execution Exploits
• Russian APT28 Exploits Outlook Flaw to Target EU NATO Members
• Russian APT28 Hackers Exploit Outlook Flaw to Hijack Exchange Accounts
• Russian APT28 Hackers Breach Critical Networks in France

Latest News

• Microsoft Deactivates MSIX Protocol Handler Misused in Malware Attacks
• Undocumented Hardware Feature Exploited in iPhone Triangulation Attack
• Barracuda Patches ESG Zero-Day Exploited by Chinese Hackers
• Multiple Zero-Day Vulnerabilities Exploited in Windows CLFS Driver
• Nim-Based Malware Delivered via Phishing Campaign Using Decoy Microsoft Word Documents