烏克蘭電腦緊急應變小組(CERT-UA) 警告稱,與俄羅斯有關的APT28 組織精心策劃了一場新的網路釣魚活動,該活動部署了OCEANMAP、MASEPIE 和STEELHOOK 等以前未記錄的惡意軟體,以獲取敏感information.
The agency detected the campaign between December 15 and 25, 2023, which targeted government entities with emails urging recipients to click on links to view documents.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
However, instead, these links redirect to malicious web resources that abuse JavaScript and the “search-ms:” URI protocol handler to drop Windows shortcut files (LNK) that launch PowerShell commands to launch known new malware chain of infection as Masepi.
MASEPIE is a Python-based tool for downloading/uploading files and executing commands, and uses the TCP protocol to communicate with command and control (C2) servers over encrypted channels.
These attacks further paved the way for the deployment of additional malware, including a PowerShell script called STEELHOOK, which collects web browser data and exports it in Base64-encoded format to an attacker-controlled server.
A C#-based backdoor called OCEANMAP is also provided, designed to execute commands using cmd.exe.
CERT-UA states that “the IMAP protocol is used as the control channel” and that the added persistence is achieved by creating a URL file named “VMSearch.url” in the Windows startup folder.
“Commands are included in ‘drafts’ in the corresponding email directory in Base64-encoded form; each draft contains the computer name, username, and operating system version. The results of the command are stored in the inbox directory.”
The agency further noted that reconnaissance and lateral movement activity was conducted within an hour of the initial intrusion using tools such as Impacket and SMBExec.
A few weeks ago, IBM X-Force disclosed that APT28 used decoys related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.
In recent weeks, a Kremlin-backed hacking group is also believed to have exploited a now-patched critical security vulnerability (CVE-2023-23397, CVSS score: 9.8) in its Outlook email service to gain unauthorized access to victims. material. Account within the Exchange server.
