Ukraine’s Computer Emergency Response Team (CERT) has issued a warning about a new phishing campaign that enabled Russian hackers to deploy previously unseen malware on a network in less than an hour. The campaign, carried out by APT28, also known as Fancy Bear or Strontium, targeted Ukraine between December 15 and 25, 2023, using phishing emails to trick recipients into clicking on a link that purported to be an important document.
The primary role of MASEPIE is to download additional malware on the infected device and steal data. APT28 also employs a set of PowerShell scripts named ‘STEELHOOK’ to steal data from Chrome-based web browsers and uses a C# backdoor named ‘OCEANMAP’ for executing base64-encoded commands via cmd.exe.
OCEANMAP establishes persistence on the system and uses the Internet Message Access Protocol (IMAP) as a control channel to receive discreet commands, store them as email drafts, execute them, and then store the results in the inbox directory. Additionally, other tools such as IMPACKET and SMBEXEC are deployed for network reconnaissance and lateral movement.
Ukraine’s CERT notes that these tools are deployed in compromised systems within an hour of the initial compromise, indicating a rapid and well-coordinated attack.