The infamous Russian hacking collective, known as APT28, is now using a legitimate feature of Microsoft Windows to deploy data stealers and other malware for their victims.
This is according to a new document from IBM's cybersecurity arm, X-Force, which claims that the campaign was active between November last year and February this year. Hacker News reports.
According to the report, the attackers (also known as Fancy Bear, Forest Blizzard or ITG05) pose as government organizations and NGOs in Europe, the South Caucasus, Central Asia and North and South America, and communicate with their victims via email. The emails contain assembled PDF files.
Steal confidential information
PDF files come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler as well as the “search:” application protocol. The driver allows applications and HTML links to launch custom local searches on a device, while the protocol serves as the mechanism for calling the desktop search application on Windows.
As a result, victims end up performing searches on a server controlled by the attacker and displaying malware in Windows Explorer. This malware disguises itself as a PDF file, which victims are invited to download and execute.
The malware is hosted on WebDAV servers that are likely hosted on compromised Ubiquiti routers. These routers were part of a botnet that was apparently taken down by the US government last month, The Hacker News reports.
We don't know who the victims are, but it's safe to assume they are from the same countries as the government and NGOs impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.
Those who fall for the trick end up installing MASEPIE, OCEANMAP and STEELHOOK, malware designed to leak files, execute arbitrary commands and steal browser data. “ITG05 continues to adapt to changing opportunities by offering new infection methodologies and leveraging commercially available infrastructure, while constantly evolving malware capabilities,” the researchers concluded.
