Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack

News
By Sead Fadilpašić
published

APT28 is back, impersonating NGOs from all over the world

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims. 

A new paper from IBM’s cybersecurity arm, X-Force claims the campaign has been active between November last year, and February this year.

As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files.

Stealing sensitive information

The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows. 

As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run.

The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports. 

We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S.

Those that fall for the trick end up installing MASEPIE, OCEANMAP, and STEELHOOK, malware designed to exfiltrate files, run arbitrary commands, and steal browser data. "ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.

Via The Hacker News

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.