Three criminals standing on a laptop, stealing sensitive documents.

APT28 Hacker Group Uses Fake Government Documents In Phishing Attacks

APT28, a cyber threat group linked to Russia, has been involved in a number of recent phishing attacks. These campaigns use fake documents that resemble those used by governments and non-governmental organisations (NGOs).

The targets cover a large geographic area, including North and South America, Europe, the South Caucasus, and Central Asia.

IBM X-Force recently disclosed a number of phishing attacks targeting the financial, healthcare, and critical infrastructure industries, among others. To make these attacks appear more authentic, they integrate sufficient evidence readily available to the public, stolen corporate documents, and even fake content.

IBM has discovered a cyberespionage effort related to the notorious hacker gang ITG05 (also known as Fancy Bear, Sednit, TA422, and a variety of other names). The disclosure comes after ITG05 was connected to attacks that used Israel-Hamas issue lures to deploy malware.

Under the alias ITG05, the APT28 group has also conducted phishing attacks against organisations in Poland and Ukraine. These attempts aimed to install specialised programmes designed to steal sensitive information (MASEPIE, OCEANMAP, and STEELHOOK).

Cybercriminals are exploiting a vulnerability in Microsoft Outlook (CVE-2023-23397) to steal users’ login information. Attackers can access other systems on a network by stealing NTLM v2 hashes due to a major vulnerability (CVSS: 9.8).

Consider your computer password as a complex recipe. An NTLM v2 hash is like a corrupted version of that recipe, but it still holds enough clues for someone to potentially recreate it.

APT28 phishing attack flowchart from malicious email to stolen credentials
APT28 phishing attack flowchart from malicious email to stolen credentials

The PDFs contain URLs leading to compromised websites. These websites take advantage of the ‘search:’ application protocol as well as the ‘search-ms:’ URI protocol handler.

While the protocol facilitates the use of Windows’ desktop search program, the handler allows applications and HTML links to initiate personalised local searches on a device.

The victims unknowingly do searches on an attacker-controlled server, resulting in malware appearing in Windows Explorer. This malware masquerades as a PDF file, convincing users to download and run it.

WebDAV servers are the likely hosts of hacked Ubiquiti routers hosting the malware. The US authorities recently eliminated a botnet that included these routers.

According to security experts Golo Mühr, Claire Zaboeva, and Joe Fasulo:

In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations. ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities.

The final act of APT28’s sophisticated strategy is the deployment of MASEPIE, OCEANMAP, and STEELHOOK. The developers designed these programs to extract files, execute arbitrary commands, and steal browsing data. OCEANMAP is described as a more advanced version of CredoMap, a previously identified backdoor employed by the organisation.

ITG05 is expected to persist in launching attacks against international governments and political systems, as predicted by X-Force. This aims to furnish Russia with valuable insights into emerging policy decisions.

Phishing attacks are on the rise, and it is important to protect your organisation. One effective way to do this is by increasing user awareness about these types of attacks. Phishing Tackle is a great resource that can help you in this regard. They offer a free 14-day trial to help train your users to recognise and avoid phishing attacks.

Recent posts