HQ/EMEAFind out how we can help your business
A recent cybercriminal campaign by the notorious Russian state-sponsored hackers APT28 or Fancy Bear has leveraged the new MASEPIE malware to compromise Ukrainian entities.
Operating between December 15 and 25, 2023, these Russian hackers employed a sophisticated phishing campaign that showcased their versatility in deploying a new and previously unseen malware named ‘MASEPIE’ within a one-hour timeframe.
Fancy Bear is notorious for targeting various industries, such as government entities, businesses, universities, research institutes, and think tanks in Western countries and NATO organisations. Moreover, the APT28 group also has gained notoriety for exploiting zero-day vulnerabilities and utilising phishing campaigns. In this latest attack, Russian hackers lured their targets with phishing emails into clicking on seemingly harmless links that contain alleged vital documents.
Subsequently, the malicious links redirected victims to malicious web resources and leveraged JavaScript to launch a Windows shortcut file (LNK). The hackers then add an LNK file, named ‘SystemUpdate.lnk,’ to the Windows Startup folder to establish persistence on the compromised device.
MASEPIE malware is a new Python malware downloader that propagates through PowerShell commands enabled by the LNK file.
The MASEPIE malware loader’s primary role is downloading additional malware and stealing sensitive data. In addition, its malware operators deploy a set of PowerShell scripts called ‘STEELHOOK’ to exfiltrate information from Chrome-based web browsers, aiming to harvest passwords, authentication cookies, and browsing history.
Furthermore, the crucial component of this cybercriminal operation is the ‘OCEANMAP.’ This component is a C# backdoor that could execute base64-encoded commands through cmd.exe.
OCEANMAP could also establish persistence by placing a .URL file named ‘VMSearch.url’ in the Windows Startup folder. Next, it uses the Internet Message Access Protocol (IMAP) as a discreet control channel, which stores commands as email drafts, minimising the risk of detection.
The malware operators also use tools like IMPACKET, a collection of Python classes for network protocol interaction, and SMBEXEC to facilitate the remote command execution for network reconnaissance and lateral movement.
This latest Ukrainian incident underscores state-sponsored hacking groups’ relentless growth and complexity. Organisations globally, especially in Ukraine, should also improve their cyber defences to thwart these threats.
