The Computer Emergency Response Team (CERT) of Ukraine has issued a warning regarding a recent phishing campaign. The threat actor behind this attack is the Russian military hacker group APT28, also known as Fancy Bear or Strontium.
The APT28 hacking collective is a state-sponsored hacking group from Russia that specializes in targeting government entities, businesses, universities, research institutes, and think tanks in Western countries and NATO organizations.
They are known to utilize phishing campaigns and exploit vulnerabilities in commonly used software, including zero-day vulnerabilities.
Modus Operandi of APT28’s MASEPIE Malware Campaign
From December 15 to 25, 2023, Ukraine experienced a targeted phishing campaign. The attackers sent phishing emails to individuals, urging them to click on a link under the pretense of accessing an important document.
However, these links redirected victims to malicious websites that utilized JavaScript. This malicious script dropped a Windows shortcut file (LNK), which then launched PowerShell commands. These commands triggered a chain of infection for a newly discovered Python malware downloader known as ‘MASEPIE.’
MASEPIE Malware Modifies Windows Registry and Downloads Additional Malware
To establish persistence on the infected device, MASEPIE modifies the Windows Registry and adds a LNK file with a deceptive name (‘SystemUpdate.lnk’) to the Windows Startup folder.
According to CERT-UA#8399 alert, the malware’s primary role is to download additional malware on the infected device and steal data.
The Ukrainian CERT-UA also notes that APT28 used a collection of PowerShell scripts called ‘STEELHOOK’ to carry out data theft from web browsers based on Chrome. This activity is likely aimed at extracting sensitive information, including passwords, authentication cookies, and browsing history.
The OCEANMAP Backdoor Maintains Stealth and Evades Detection Using IMAP
The CERT-UA security alert also mentions that the attackers employ a C# backdoor tool known as ‘OCEANMAP.’ The backdoor is primarily used to execute base64-encoded commands through cmd.exe.
To maintain persistence on the compromised system, OCEANMAP backdoor creates a .URL file named ‘VMSearch.url’ in the Windows Startup folder.
To maintain stealth and avoid detection, OCEANMAP utilizes the Internet Message Access Protocol (IMAP) as a covert control channel. It receives discreet commands by storing them as email drafts containing the command itself, along with the username and operating system version.
After executing these commands, OCEANMAP backdoor stores the results in the inbox directory. This allows APT28 to retrieve the outcomes covertly and make any necessary adjustments to their attack strategy.
IMPACKET and SMBEXEC Used for Reconnaissance and Lateral Movement
For network reconnaissance and lateral movement, the attackers employ additional tools such as IMPACKET, which is a collection of Python classes designed for working with network protocols. They also utilize SMBEXEC, which enables remote command execution.
The swift deployment of these tools on compromised systems within an hour of the initial compromise indicates a highly coordinated and rapid attack, as highlighted by Ukraine’s CERT.