The infamous Russian hacking collective known as APT28 is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware on their victims.
This is evident from a new article from IBM’s cybersecurity arm, X-Force, which claims the campaign was active between November last year and February this year. The hacker news reports.
According to the report, the attackers (also known as Fancy Bear, Forest Blizzard or ITG05) impersonate government and NGO organizations in Europe, the South Caucasus, Central Asia and the Americas, using e-mail to -email to contact their victims. The emails contained weaponized PDF files.
Stealing sensitive information
The PDFs come with URLs that lead to compromised websites, which can exploit the URI protocol handler “search-ms:” and the application protocol “search:”. The handler allows apps and HTML links to initiate custom local searches on a device, while the protocol serves as a mechanism for calling the desktop search application on Windows.
As a result, victims end up running searches on an attacker-controlled server and emerge with malware that appears in Windows Explorer. This malware is disguised as a PDF file, which victims must download and run.
The malware is hosted on WebDAV servers which are themselves most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet that was apparently disabled by the US government last month, The Hacker News reports.
We don’t know who the victims are, but it’s safe to assume they come from the same countries as the government and NGO agencies impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the US
Those who fall for the trick end up installing MASEPIE, OCEANMAP, and STEELHOOK, malware designed to exfiltrate files, execute arbitrary commands, and steal browser data. “ITG05 remains adaptable to changes in opportunities by delivering new infection methods and leveraging commercially available infrastructure, while consistently evolving its malware capabilities,” the researchers concluded.