In December 2023 [1], the Computer Emergency Response Team of Ukraine (CERT-UA) identified a phishing campaign conducted by the Russia-linked APT28 group [5]. This campaign targeted Ukrainian government entities and Polish organizations [1] [4] [6] [7], using email messages to distribute previously undocumented malware strains [6].

Description

The phishing emails contained harmful links that led to the download of malware strains such as OCEANMAP, MASEPIE [1] [2] [3] [4] [5] [6] [7] [8], and STEELHOOK [1] [2] [3] [4] [5] [6] [7] [8]. Once downloaded [5], the malware initiated PowerShell commands and infected systems with the MASEPIE malware [3], a Python-based tool that communicates with a command-and-control server over an encrypted TCP channel [2] [3] [4] [6]. Additionally, the attacks deployed the STEELHOOK PowerShell script, which extracted web browser data in a Base64-encoded format [3]. Another malware delivered was the OCEANMAP C#-based backdoor [3] [6], which used the IMAP protocol as a control channel and achieved persistence by creating a URL file in the Windows Startup folder [2] [3] [4] [6] [7]. To maintain persistence [5], the malware set a key in the OS registry and stored a file in the startup directory [5].

The APT28 group utilized the MASEPIE malware to load and execute other tools for network reconnaissance and further movement within the network [5]. The attacks involved reconnaissance and lateral movement activities using tools like Impacket and SMBExec [2] [3] [4] [6] [7]. APT28 has recently used lures related to the Israel-Hamas war to deliver a custom backdoor called HeadLace [2] [4] [6] [7].

CERT-UA has published indicators of compromise (IoCs) for these attacks [5], including unauthorized access to victims’ accounts within Exchange servers [4] [5]. It is worth noting that the APT28 group has also been known to exploit a critical security flaw in the Outlook email service (CVE-2023-23397) to gain unauthorized access to victims’ accounts. The attacks posed a threat to the entire network, aiming to infect the entire information and communication system organization-wide [1].

Conclusion

These attacks have significant implications for the affected organizations and their information and communication systems. It is crucial for these entities to implement robust security measures to mitigate the risks posed by phishing campaigns and malware strains like OCEANMAP, MASEPIE [1] [2] [3] [4] [5] [6] [7] [8], and STEELHOOK [1] [2] [3] [4] [5] [6] [7] [8]. Additionally, organizations should remain vigilant against APT28’s evolving tactics and exploit techniques, such as the use of lures related to current events. By staying informed and proactive, organizations can better protect their networks and prevent unauthorized access to sensitive information.

References

[1] https://socprime.com/blog/apt28-adversary-activity-detection-new-phishing-attacks-targeting-ukrainian-and-polish-organizations/
[2] https://owasp.or.id/2023/12/29/cert-ua-uncovers-new-malware-wave-distributing-oceanmap-masepie-steelhook/
[3] https://vulnera.com/newswire/apt28-phishing-campaign-deploying-new-malware-uncovered-by-cert-ua/
[4] https://thehackernews.com/2023/12/cert-ua-uncovers-new-malware-wave.html
[5] https://securityaffairs.com/156623/apt/apt28-phishing-new-malware.html
[6] https://www.ihash.eu/2023/12/cert-ua-uncovers-new-malware-wave-distributing-oceanmap-masepie-steelhook/
[7] https://vulners.com/thn/THN:AC2FCD479CB06B6EDDCD0A3A71395714
[8] https://cyber.vumetric.com/security-news/2023/12/29/cert-ua-uncovers-new-malware-wave-distributing-oceanmap-masepie-steelhook/