Ukraine’s Computer Emergency Response Team (CERT) has issued a warning about a new phishing campaign that enabled Russian hackers to deploy previously unseen malware on a network in less than an hour. The campaign, carried out by APT28, also known as Fancy Bear or Strontium, targeted Ukraine between December 15 and 25, 2023, using phishing emails to trick recipients into clicking on a link that purported to be an important document.

The malicious web resources linked to the emails used JavaScript to drop a Windows shortcut file (LNK), which then launched PowerShell commands to trigger an infection chain for a new Python malware downloader called ‘MASEPIE.’ This malware establishes persistence on the infected device, modifies the Windows Registry, and adds a deceptively named LNK file to the Windows Startup folder.

The primary role of MASEPIE is to download additional malware on the infected device and steal data. APT28 also employs a set of PowerShell scripts named ‘STEELHOOK’ to steal data from Chrome-based web browsers and uses a C# backdoor named ‘OCEANMAP’ for executing base64-encoded commands via cmd.exe.

OCEANMAP establishes persistence on the system and uses the Internet Message Access Protocol (IMAP) as a control channel to receive discreet commands, store them as email drafts, execute them, and then store the results in the inbox directory. Additionally, other tools such as IMPACKET and SMBEXEC are deployed for network reconnaissance and lateral movement.

Ukraine’s CERT notes that these tools are deployed in compromised systems within an hour of the initial compromise, indicating a rapid and well-coordinated attack.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles