The Pc Emergency Response Workforce of Ukraine (CERT-UA) has warned of a brand new phishing marketing campaign orchestrated by the Russia-linked APT28 group to deploy beforehand undocumented malware reminiscent of OCEANMAP, MASEPIE, and STEELHOOK to reap delicate info.
The exercise, which was detected by the company between December 15 and 25, 2023, targets authorities entities with electronic mail messages urging recipients to click on on a hyperlink to view a doc.
From USER to ADMIN: Study How Hackers Achieve Full Management
Uncover the key techniques hackers use to grow to be admins, detect and block it earlier than it is too late. Register for our webinar at this time.
Nevertheless, on the contrary, the hyperlinks redirect to malicious internet assets that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Home windows shortcut file (LNK) that launches PowerShell instructions to activate an an infection chain for a brand new malware generally known as MASEPIE.
MASEPIE is a Python-based software to obtain/add recordsdata and execute instructions, with communications with the command-and-control (C2) server happening over an encrypted channel utilizing the TCP protocol.
The assaults additional pave the best way for the deployment of further malware, together with a PowerShell script known as STEELHOOK that is able to harvesting internet browser knowledge and exporting it to an actor-controlled server in Base64-encoded format.
Additionally delivered is a C#-based backdoor dubbed OCEANMAP that is designed to execute instructions utilizing cmd.exe.
“The IMAP protocol is used as a management channel,” CERT-UA stated, including persistence is achieved by making a URL file named “VMSearch.url” within the Home windows Startup folder.
“Instructions, in Base64-encoded type, are contained within the ‘Drafts’ of the corresponding electronic mail directories; every of the drafts comprises the title of the pc, the title of the consumer and the model of the OS. The outcomes of the instructions are saved within the inbox listing.”
The company additional identified that reconnaissance and lateral motion actions are carried out inside an hour of the preliminary compromise by making the most of instruments like Impacket and SMBExec.
The disclosure comes weeks after IBM X-Power revealed APT28’s use of lures associated to the continuing Israel-Hamas warfare to facilitate the supply of a customized backdoor known as HeadLace.
In latest weeks, the prolific Kremlin-backed hacking group has additionally been attributed to the exploitation of a now-patched vital safety flaw in its Outlook electronic mail service (CVE-2023-23397, CVSS rating: 9.8) to achieve unauthorized entry to victims’ accounts inside Change servers.