Rewterz Threat Alert – APT28 Targets Ukrainian and Polish Governments with Previously Undocumented Malware – Active IOCs

Severity

High

Analysis Summary

Ukrainian security researchers warn of a new phishing campaign launched by the Russian APT28 threat group to distribute new malware like MASEPIE, STEELHOOK, and OCEANMAP to commit data theft. The malicious activity was detected between December 15 and 25, 2023, and targeted Ukrainian and Polish government organizations with emails that urged the users to click on a link to view a document.

The links redirect the unsuspecting user to a malicious web page that uses JavaScript and the “search-ms:” URL protocol handler to deliver a Windows shortcut file (LNK) which then carries out PowerShell commands to launch an infection chain for a previously undocumented malware called MASEPIE. It is a Python-based malware that can upload/download files and execute commands as well as communicate with the command-and-control (C2) server which is situated on an encrypted channel and uses the TCP protocol.

The attacks also deploy additional malware like a PowerShell script named STEELHOOK which can steal browser data and exfiltrate it in Base64-encoded format to an actor-controlled server. Another notable malware delivered is a C#-based backdoor known as OCEANMAP that can launch commands using cmd.exe. The threat actors achieve persistence by making a URL file called “VMSearch.url” in the Windows Startup folder.

The Base-64 encoded commands are found in the ‘Drafts’ folder of the email directories and each of them contains the computer name, username, and the operating system version. The results of these commands are saved in the inbox directory. It is further noted by the researchers that lateral movement and surveillance activities are executed within an hour of the initial infection. For that, the attackers leverage tools such as Impacket and SMBExec.

The follow-up comes a few weeks after security experts disclosed APT28 using lures related to the ongoing Palestine-Israel war to distribute a custom backdoor dubbed HeadLace. Recently, another sophisticated threat group backed by the Kremlin has been linked to the exploitation of a now-patched critical Outlook vulnerability tracked as CVE-2023-23397 with a CVSS score of 9.8 to gain unauthorized access to targeted users’ accounts in Microsoft Exchange servers.

Impact

• Cyber Espionage
• Sensitive Information Theft
• Data Exfiltration

Indicators of Compromise

URL

• http://194.126.178.8/webdav/wody.pdf
• http://194.126.178.8/webdav/wody.zip
• http://194.126.178.8/webdav/StrategyUa.pdf
• http://194.126.178.8/webdav/231130N581.pdf

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.