A recent study by IBM’s X-Force reveals that the notorious Russian hacking group, APT28, has been utilizing a legitimate Microsoft Windows component to spread malware through phishing attacks across the globe. Also known as Fancy Bear, Forest Blizzard, or ITG05, the group has been impersonating government and non-governmental organizations (NGOs) in various regions, including Europe, South Caucasus, Central Asia, and North and South America.
The attack begins with an email containing a weaponized PDF file, which leads to compromised websites that exploit the “search-ms:” URI protocol handler and the “search:” application protocol. This allows the attackers to perform searches on the victim’s device, ultimately resulting in the download of malware disguised as a PDF file. The malware is hosted on WebDAV servers, likely hosted on compromised Ubiquiti routers, which were recently taken down by the US government, according to The Hacker News.
Victims of the attack include individuals from the same countries as the impersonated government and NGO agencies, including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States. The malware deployed includes MASEPIE, OCEANMAP, and STEELHOOK, which are designed to extract files, execute arbitrary commands, and steal browser data.
IBM’s X-Force notes that ITG05 continues to adapt its tactics to stay ahead of detection, using new infection methods and leveraging commercial infrastructure while constantly updating its malware capabilities. This highlights the importance of remaining vigilant against phishing attacks and ensuring that security measures are up to date.
Comments are closed