Russian Military Hacker Group Target NATO Allies

Ukraine’s Computer Emergency Response Team (CERT) has issued a warning about a new phishing campaign orchestrated by Russia-linked hackers, specifically APT28, also known as Fancy Bear or Strontium.

APT28 is a state-sponsored threat actor associated with Russia, targeting various entities such as government bodies, businesses, universities, research institutes, and think tanks in Western countries and NATO organizations. Their tactics involve phishing campaigns and exploiting vulnerabilities in widely used software.

The recent attack on Ukraine occurred between December 15 and 25, 2023. The hackers employed phishing emails, urging recipients to click on a link under the pretext of accessing an important document.

Upon clicking, victims were redirected to malicious websites using JavaScript to deploy a Windows shortcut file (LNK). This file initiated PowerShell commands, triggering an infection chain for a new Python malware downloader called ‘MASEPIE.’

MASEPIE ensures persistence on the infected device by modifying the Windows Registry and adding a deceptively named LNK file (‘SystemUpdate.lnk’) to the Windows Startup folder. The primary function of this malware is to download additional malware and pilfer data.

According to CERT-UA, APT28 utilizes a set of PowerShell scripts called ‘STEELHOOK’ to extract data from Chrome-based web browsers, likely targeting sensitive information such as passwords, authentication cookies, and browsing history.

Another tool employed in the attack is ‘OCEANMAP,’ a C# backdoor mainly used for executing base64-encoded commands via cmd.exe. To maintain persistence on the system, OCEANMAP creates a .URL file named ‘VMSearch.url’ in the Windows Startup folder.

It uses the Internet Message Access Protocol (IMAP) as a covert control channel to discreetly receive commands stored as email drafts, including the command, username, and OS version. After executing commands, OCEANMAP stores results in the inbox directory, allowing APT28 to retrieve outcomes stealthily and adapt their attack if necessary.

The attack also involved additional tools like IMPACKET, a set of Python classes for network protocol interactions, and SMBEXEC, facilitating remote command execution. Ukraine’s CERT notes that these tools are swiftly deployed within an hour of the initial compromise, indicating a rapid and well-coordinated attack.

For information on training your employees against phishing attacks: