The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims.
This is according to a new paper from IBM’s cybersecurity arm, X-Force, which claims the campaign has been active between November last year, and February this year, The Hacker News reports.
As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files.
Stealing sensitive information
The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows.
As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run.
The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports.
We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S.
Those that fall for the trick end up installing MASEPIE, OCEANMAP, and STEELHOOK, malware designed to exfiltrate files, run arbitrary commands, and steal browser data. “ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities,” the researchers concluded.