Russia-linked threat actors called APT28 Associated with multiple ongoing phishing campaigns that use lure files mimicking government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America.
IBM Documents related to industrial production,” Flowserve said in a report released last week.
The tech company is tracking activity under the name ITG05, also known as Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard (formerly Strontium), FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422 and UAC-028.
The disclosure comes more than three months after adversaries were caught using decoys related to the ongoing Israel-Hamas war to deliver a custom backdoor called HeadLace.
Since then, APT28 has also sent phishing messages to Ukrainian government entities and Polish organizations designed to deploy custom implants and information-stealing programs such as MASEPIE, OCEANMAP, and STEELHOOK.
Other campaigns required exploiting a security vulnerability in Microsoft Outlook (CVE-2023-23397, CVSS score: 9.8) to exfiltrate NT LAN Manager (NTLM) v2 hash values, raising the possibility that threat actors could exploit other vulnerabilities to steal NTLMv2 hash values. used for relay attacks.
The latest campaign observed by IBM X-Force between late November 2023 and February 2024 leveraged the “search-ms:” URI protocol handler in Microsoft Windows to trick victims into downloading a WebDAV server hosted on an attacker-controlled malware on.
There is evidence that WebDAV servers, as well as MASEPIE C2 servers, may be hosted on infected Ubiquiti routers, the same botnet the U.S. government took down last month.
Phishing attacks impersonate entities from multiple countries including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States, using authentic public government and non-government bait documents to activate the infection chain.
“In an update to its approach, ITG05 is leveraging free hosting provider firstcloudit[.]com to deploy payloads for sustained operations,” said security researchers Joe Fasulo, Claire Zaboeva and Golo Mühr.
APT28’s carefully orchestrated scheme culminated in the execution of MASEPIE, OCEANMAP, and STEELHOOK, software designed to steal files, run arbitrary commands, and steal browser data. OCEANMAP is believed to be a more powerful version of CredoMap, another backdoor previously identified by the group.
“ITG05 is able to adapt to changing opportunities by offering new infection methods and leveraging commercial infrastructure while continually evolving malware capabilities,” the researchers concluded.
