The Laptop Emergency Response Staff of Ukraine (CERT-UA) has warned of a brand new phishing marketing campaign orchestrated by the Russia-linked APT28 group to deploy beforehand undocumented malware reminiscent of OCEANMAP, MASEPIE, and STEELHOOK to reap delicate info.
The exercise, which was detected by the company between December 15 and 25, 2023, targets authorities entities with e-mail messages urging recipients to click on on a hyperlink to view a doc.
From USER to ADMIN: Study How Hackers Acquire Full Management
Uncover the key ways hackers use to grow to be admins, methods to detect and block it earlier than it is too late. Register for our webinar right now.
Nonetheless, on the contrary, the hyperlinks redirect to malicious internet sources that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Home windows shortcut file (LNK) that launches PowerShell instructions to activate an an infection chain for a brand new malware often called MASEPIE.
MASEPIE is a Python-based device to obtain/add recordsdata and execute instructions, with communications with the command-and-control (C2) server going down over an encrypted channel utilizing the TCP protocol.
The assaults additional pave the way in which for the deployment of further malware, together with a PowerShell script referred to as STEELHOOK that is able to harvesting internet browser knowledge and exporting it to an actor-controlled server in Base64-encoded format.
Additionally delivered is a C#-based backdoor dubbed OCEANMAP that is designed to execute instructions utilizing cmd.exe.
“The IMAP protocol is used as a management channel,” CERT-UA mentioned, including persistence is achieved by making a URL file named “VMSearch.url” within the Home windows Startup folder.
“Instructions, in Base64-encoded kind, are contained within the ‘Drafts’ of the corresponding e-mail directories; every of the drafts incorporates the identify of the pc, the identify of the person and the model of the OS. The outcomes of the instructions are saved within the inbox listing.”
The company additional identified that reconnaissance and lateral motion actions are carried out inside an hour of the preliminary compromise by profiting from instruments like Impacket and SMBExec.
The disclosure comes weeks after IBM X-Power revealed APT28’s use of lures associated to the continuing Israel-Hamas warfare to facilitate the supply of a customized backdoor referred to as HeadLace.
In current weeks, the prolific Kremlin-backed hacking group has additionally been attributed to the exploitation of a now-patched crucial safety flaw in its Outlook e-mail service (CVE-2023-23397, CVSS rating: 9.8) to achieve unauthorized entry to victims’ accounts inside Trade servers.
