CERT-UA reveals new wave of malware distributing OCEANMAP, MASEPIE, STEELHOOK


Ukraine’s Computer Emergency Response Team (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to leverage previously undocumented malware such as OCEANMAP, MASEPIE and STEELHOOK to collect sensitive information.

The activity, that was detected by the agency between December 15 and 25, 2023, targets government agencies with email messages urging recipients to click on a link to view a document.

Rather, the links redirect to malicious web resources that abuse JavaScript and the “search-ms:” URI protocol handler to place a Windows shortcut file (LNK) that launches PowerShell commands to trigger an infection chain for a new known malware. as MASEPIE.

MASEPIE is a Python-based tool for downloading/uploading files and executing commands, communicating with the command-and-control (C2) server over an encrypted channel using the TCP protocol.

The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK capable of collecting web browser data and exporting it in Base64-encoded format to an actor-controlled server.

Also included is a C#-based backdoor called OCEANMAP, which is designed to run commands using cmd.exe.

“The IMAP protocol is used as a control channel,” according to CERT-UA. Adding persistence is accomplished by creating a URL file named “VMSearch.url” in the Windows Startup folder.

“Commands, in Base64 encoded form, are contained in the ‘Drafts’ of the corresponding email folders; each of the drafts contains the name of the computer, the name of the user and the operating system version. The results of the jobs are saved to the Inbox folder.”

The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by using tools such as Imppacket and SMBExec.

The revelation comes weeks after IBM

In recent weeks, the prolific Kremlin-backed hacking group was also credited with exploiting a now-patched critical vulnerability in the Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to the victims. accounts within Exchange servers.

#CERTUA #reveals #wave #malware #distributing #OCEANMAP #MASEPIE #STEELHOOK

Notify of
Inline Feedbacks
View all comments
Previous Post
Kimsuky Hackers

Kimsuky hackers using AppleSeed, Meterpreter and TinyNuke in latest attacks

Next Post
Iranian hacker group

Albanian Parliament and one Albania Telecom hit by cyber attacks

Related Posts