The Laptop Emergency Response Crew of Ukraine (CERT-UA) has warned of a brand new phishing marketing campaign orchestrated by the Russia-linked APT28 group to deploy beforehand undocumented malware equivalent to OCEANMAP, MASEPIE, and STEELHOOK to reap delicate info.
The exercise, which was detected by the company between December 15 and 25, 2023, focused Ukrainian authorities entities and Polish organizations with electronic mail messages urging recipients to click on on a hyperlink to view a doc.
Nonetheless, on the contrary, the hyperlinks redirect to malicious internet sources that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Home windows shortcut file (LNK) that launches PowerShell instructions to activate an an infection chain for a brand new malware generally known as MASEPIE.
MASEPIE is a Python-based device to obtain/add information and execute instructions, with communications with the command-and-control (C2) server happening over an encrypted channel utilizing the TCP protocol.
The assaults additional pave the way in which for the deployment of extra malware, together with a PowerShell script known as STEELHOOK that is able to harvesting internet browser information and exporting it to an actor-controlled server in Base64-encoded format.
Additionally delivered is a C#-based backdoor dubbed OCEANMAP that is designed to execute instructions utilizing cmd.exe.
“The IMAP protocol is used as a management channel,” CERT-UA stated, including persistence is achieved by making a URL file named “VMSearch.url” within the Home windows Startup folder.
“Instructions, in Base64-encoded kind, are contained within the ‘Drafts’ of the corresponding electronic mail directories; every of the drafts accommodates the title of the pc, the title of the consumer and the model of the OS. The outcomes of the instructions are saved within the inbox listing.”
The company additional identified that reconnaissance and lateral motion actions are carried out inside an hour of the preliminary compromise by making the most of instruments like Impacket and SMBExec.
The disclosure comes weeks after IBM X-Power revealed APT28’s use of lures associated to the continued Israel-Hamas struggle to facilitate the supply of a customized backdoor known as HeadLace.
In current weeks, the prolific Kremlin-backed hacking group has additionally been attributed to the exploitation of a now-patched vital safety flaw in its Outlook electronic mail service (CVE-2023-23397, CVSS rating: 9.8) to realize unauthorized entry to victims’ accounts inside Trade servers.
