A new cyber-attack linked to Russian state-sponsored hackers has sparked a warning from Ukraine’s Computer Emergency Response Team (CERT). The group responsible for the attack is APT28, also known as Fancy Bear or Strontium.
This highly sophisticated threat actor is notorious for launching cyber operations against government entities, businesses, universities, research institutes, and think tanks, mainly in Western countries and NATO organizations.
Stay One Step Ahead of Cyber Threats
From December 15-25, 2023, APT28 launched a phishing campaign against targets in Ukraine.
The attackers rapidly deployed undetected malware by exploiting previously unknown vulnerabilities in widely used software applications and email campaigns. These emails appeared to contain important documents but actually contained malicious links. When clicked, these links directed victims to harmful JavaScript resources.
The process involved using JavaScript to introduce an undesirable Windows shortcut file that initiates an infection series, releasing a new Python malware downloader named ‘MASEPIE.’ Once installed on the victim’s device, MASEPIE customizes the standard Windows Registry parameters and adds its own LNK file labeled ‘SystemUpdate.lnk’ into the Windows Startup folder, ensuring persistence.
Besides installing additional dangerous payloads onto infected devices, MASEPIE’s primary function enables real-time data exfiltration. APT28 used PowerShell scripts entitled ‘STEELHOOK,’ which are designed to extract passwords and authentication cookies along with browsing history records from all Chrome-based web browsers hosted on the compromised systems.
‘ OCEANMAP,’ a C# backdoor also employed in the attack, was primarily used for executing base64-encoded commands through cmd.exe. It ensures persistence on a system by placing a .url file named ‘VMSearch.url’ in the Windows Startup folder.
Utilizing the Internet Message Access Protocol (IMAP) as a covert control channel, OCEANMAP discreetly received commands, which were stored as email drafts containing the command details, username, and OS version.
Post-command execution saved the results in the inbox directory, enabling APT28 to covertly access the results.
In the attacks, other tools used for network reconnaissance and lateral movement were IMPACKET, a collection of Python classes designed for interacting with network protocols, and SMBEXEC, a tool used in network administration, particularly for executing commands remotely on computers using the SMB (Server Message Block) protocol.
The cyberattack on Ukraine’s infrastructure demonstrated a sophisticated blend of social engineering and technical expertise — characteristics common to APT28 actors.
"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
