March 18, 2024 at 02:21AM
APT28, a Russia-linked threat actor, has been implicated in multiple ongoing phishing campaigns targeting entities in Europe, the South Caucasus, Central Asia, and North and South America. IBM X-Force is tracking the activity under the alias ITG05 and has observed the group using various tactics, including deploying unique backdoors and exploiting vulnerabilities in Microsoft Outlook. The group has also been observed leveraging the “search-ms:” URI protocol handler in Microsoft Windows and hosting malware on actor-controlled WebDAV servers. The phishing attacks impersonate entities from countries such as Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S. The attackers are utilizing a freely available hosting provider, firstcloudit[.]com, to stage payloads for ongoing operations. The culmination of their schemes involves the execution of exfiltration and data-stealing tools, including MASEPIE, OCEANMAP, and STEELHOOK, highlighting the threat actor’s adaptability and evolving malware capabilities.
Based on the meeting notes, it appears that the focus was on the Russia-linked threat actor known as APT28 and their ongoing phishing campaigns. The group has been using various lure documents imitating government and non-governmental organizations in different regions around the world. They are being tracked under the moniker ITG05 and have targeted entities in Europe, the South Caucasus, Central Asia, and North and South America.
The group has been using a variety of tactics, including deploying bespoke implants and information stealers such as MASEPIE, OCEANMAP, and STEELHOOK. They have also been exploiting security flaws in Microsoft Outlook to plunder NT LAN Manager v2 hashes and using the “search-ms:” URI protocol handler in Windows to trick victims into downloading malware hosted on actor-controlled WebDAV servers.
It’s worth noting that the threat actor may be leveraging compromised Ubiquiti routers and a botnet that was taken down by the U.S. government last month for hosting the WebDAV and MASEPIE C2 servers.
The phishing attacks have been impersonating entities from multiple countries and are using a mix of authentic publicly available government and non-government lure documents to activate the infection chains.
Overall, it’s clear that ITG05 is adaptable and continues to evolve its malware capabilities, as highlighted by the researchers. This is a concerning situation that requires vigilance and proactive measures to mitigate the threat posed by APT28.