Rewterz Threat Alert – Widespread Phishing Campaign by APT28 Targets Asia, Europe, and Americas – Active IOCs

Severity

High

Analysis Summary

The notorious Russia-attributed threat group called APT28 has been behind several ongoing phishing campaigns that are using lure documents that masquerade as government and non-governmental organizations (NGOs) to target various regions like Central Asia, Europe, the South Caucasus, and North and South America.

The lures that were discovered contain a mixture of publicly available and internal documents, as well as documents possibly generated by the actor are related to critical infrastructure, finance, cybersecurity, executive engagements, healthcare, maritime security, defense industrial production, and business. The cybersecurity firm is tracking the activity cluster as ITG05, also known as Fancy Bear, BlueDelta, Blue Athena, Fighting Ursa, UAC-028, TA422, Sofacy, Sednit, Pawn Storm, Iron Twilight, and FROZENLAKE.

“Beginning in November 2023, we observed ITG05 using the “search-ms” URI handler, a new technique for the group, leading victims to download malware hosted on actor-controlled WebDAV servers,” said the cybersecurity analysts.

The follow-up comes after about three months of disclosure that the threat actor was observed using lures related to the ongoing Israel-Palestine war to propagate a custom backdoor called HeadLace. APT28 has also attacked Ukrainian government entities as well as Polish organizations with phishing emails made to deliver implants and infostealers such as OCEANMAP, MASEPIE, and STEELHOOK.

Some other campaigns by the adversary exploited vulnerabilities in Microsoft Outlook (namely CVE-2023-23397 with a CVSS score of 9.8) to steal NTLMv2 hashes, which makes it possible that the threat actor could take advantage of other weaknesses to exfiltrate NTLMv2 hashes and use them in relay attacks.

The latest campaigns were observed during late November 2023 and February 2024 and leveraged Microsoft Windows’ “search-ms:” URI protocol handler to lure unsuspecting users into downloading malware that is hosted on WebDAV servers controlled by the actor. There is some evidence that suggests both the WebDAV servers and the MASEPIE C2 servers might be hosted on compromised Ubiquiti routers, which is a botnet compromise that was taken down by the U.S. government a while ago.

The phishing attacks pretend to be entities from various countries like the U.S., Azerbaijan, Armenia, Poland, Kazakhstan, Belarus, Georgia, Ukraine, and Argentina. This way, the campaign can use a mix of authentic government and non-government lures documents that are publicly available to initiate the infection chains. The scheme comes to an end with the execution of MASEPIE, STEELHOOK, and OCEANMAP. These malware are capable of exfiltrating files, stealing browser data, and executing arbitrary commands.

These developments show that APT28 is adaptable to changes in opportunity by leveraging novel infection methods and using commercially available infrastructure while also continuously evolving its malware arsenal.

Impact

• Sensitive Data Theft
• Cyber Espionage
• Data Exfiltration

Indicators of Compromise

MD5

• b1ddb329a8544f7a15fef42400bb681b
• 60e57af5fcec9d3fb409ee66b20eafc4

SHA-256

• 451f3d427ac21632f38619ef96dece25798918866d44fe82ff1ed30996f998dc
• 64b0037dde987c78edf807a1bd7f09cdfac072ec2a59954cc4918828b7e608a3

SHA-1

• c599321f0fd9e453652ed2f4c15f1f892315da54
• 32981337609b8567390014e24fc8156153022f65

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Perform comprehensive security audits on the email server infrastructure to identify and address any potential weaknesses. This includes reviewing server configurations, access controls, and encryption protocols to ensure they meet industry best practices.
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Enable 2FA for user accounts on the email server to add an extra layer of security. This prevents unauthorized access even if usernames and passwords are compromised.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Implement network segmentation to isolate critical systems and sensitive data from the rest of the network. This limits the lateral movement of attackers in case of a breach and reduces the impact of potential future attacks.
• Implement a regular backup strategy for email servers and critical data. Ensure that backups are stored securely and regularly tested for data restoration.
• Apply the latest security patches and updates to the email server software and associated components to address any vulnerabilities that may have been exploited by APT28. Also, prioritize patching known exploited vulnerabilities and zero-days.