Security researchers at Zscaler ThreatLabz uncovered a new information-stealing campaign they dubbed “Steal-IT” that exfiltrates NTLMv2 hashes from compromised Windows systems using a customized PowerShell script.

The campaign primarily targets Australia, Poland, and Belgium and is believed to be orchestrated by the Russian military hacker group known as APT28, Strontium or Fancy Bear. Zscaler notes that the Steal-IT campaign bears similarities with a May 2023 attack against Ukrainian government entities attributed by the CERT-UA threat response team to APT 28.

In the recent campaign the threat actor has been observed stealing and exfiltrating NTLM hashes using customized scripts from the Nishang framework and system information by executing system commands. Once captured, the data is exfiltrated via mock APIs to Mockbin.

Mockbin is an online custom endpoint generator, which allows users to generate custom endpoints to test, mock and track HTTP requests and responses between APIs.

Nishang is a framework and collection of scripts and payloads that enables the usage of PowerShell for offensive security and post-exploitation during penetration tests.

The infection chain starts with lures designed to trick a victim into opening an innocuous-looking .zip archive, which hides a malicious shortcut file. The .lnk file downloads and executes a customized version of a pen-testing PowerShell script – Nishang’s Start-CaptureServer.ps1 – which is designed to capture NTLMv2 hashes used for authentication in Windows environments.

What is particularly interesting about this operation is that it uses multiple infection chains involving different lures depending on the targeted country.

For example, users in Australia targeted with OnlyFans lures designed to trick them into downloading a CMD file that steals system information. Fansly whoami infection chain involves explicit images of Ukrainian and Russian Fansly models designed to entice Polish users into downloading a CMD file that exfiltrates the results of the whoami command. Belgium users are targeted with the Windows update infection chain, which uses fake Windows update scripts designed to run commands like tasklist and systeminfo.

“Zscaler ThreatLabz’s analysis of the […] Steal-It campaign indicates their targeted geofencing strategy and sophisticated tactics. For example, the threat actors' custom PowerShell scripts and strategic use of LNK files within zip archives highlights their technical expertise. The persistence maintained by moving files from the Downloads to Startup folder and renaming them underscores the threat actors dedication to prolonged access,” the researchers noted.