Zscaler ThreatLabz has recently uncovered a cyber attack campaign known as Steal-It, which specifically targets compromised Windows systems in Australia [3], Poland [1] [2] [3] [4] [5], and Belgium [1] [2] [3] [4] [5]. This campaign, believed to be the work of APT28 (Fancy Bear), utilizes a customized version of Nishang’s Start-CaptureServer PowerShell script to steal NTLMv2 hashes from the compromised systems [3] [4].
Description
The Steal-It campaign initiates its attacks through phishing emails that contain ZIP archives, serving as the initial point of infiltration [4]. Employing geofencing techniques [2], the campaign strategically targets specific victims and employs multiple infection chains. In Australia [1] [2] [3] [4], the attackers focus on stealing system information from users. In Poland, they entice users with explicit images of OnlyFans models, prompting them to download a CMD file that exfiltrates data [4]. In Belgium [1] [2] [3] [4] [5], the attackers target users with fake Windows update scripts [4].
To execute their malicious activities, the campaign utilizes various system commands to steal and exfiltrate the hashes. Additionally, the attackers exploit the Mockbin API endpoint generating tool, using customized PowerShell scripts to steal data [1], including NTLM hashes [1].
The initial phase of the campaign involves deploying LNK files concealed within zip archives and ensuring persistence within the system through the StartUp folder [1]. Notably, Nishang [2] [3] [4] [5], a framework of PowerShell scripts and payloads for offensive security and penetration testing [4], is leveraged in these attacks.
Conclusion
The Steal-It campaign poses significant threats to compromised Windows systems in Australia, Poland [1] [2] [3] [4] [5], and Belgium [1] [2] [3] [4] [5]. To mitigate these risks, organizations and individuals should remain vigilant against phishing emails containing ZIP archives and exercise caution when downloading files or clicking on suspicious links. Additionally, implementing robust security measures, such as regularly updating systems and utilizing advanced threat detection solutions, can help defend against such attacks.
As cyber attackers continue to evolve their tactics, it is crucial for security professionals to stay informed about emerging threats and adapt their defenses accordingly. By remaining proactive and implementing effective security measures, we can better protect our systems and data from sophisticated cyber attacks like Steal-It.
References
[1] https://www.darkreading.com/application-security/steal-it-campaign-onlyfans-models-lures
[2] https://vulners.com/thn/THN:1AD82F034E02998FA62E2128CAB03546
[3] https://cybersec84.wordpress.com/2023/09/11/powershell-script-used-to-steal-ntlmv2-hashes-from-windows-systems/
[4] https://thehackernews.com/2023/09/cybercriminals-using-powershell-to.html
[5] https://gbhackers.com/hackers-steal-ntlmv2-hashes/