By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
Articles

Innovative Phishing Strategy Employed by Russian Cyber Group Targets Global Audience via Microsoft Windows Feature

March 20, 2024
A Russian cyber group, known as APT28, Fancy Bear, and others, used a Windows feature to spread malware globally, IBM's X-Force reports. Between November and February, they mimicked organizations in emails with malicious PDFs, targeting Europe, the South Caucasus, Central Asia, and the Americas.

A renowned Russian cyber group, identified by multiple aliases including APT28, Fancy Bear, Forest Blizzard, and ITG05, has recently been spotlighted for exploiting a legitimate feature within Microsoft Windows to disseminate infostealers among other malicious software, affecting users globally. This alarming development was detailed in a recent analysis by the cybersecurity division of IBM, known as X-Force. The analysis covers the group's activities from November of the previous year to February of the current year.

This cyber campaign ingeniously impersonates government and non-governmental organizations spanning across Europe, the South Caucasus, Central Asia, and the Americas, engaging victims through seemingly benign emails. These emails are particularly deceptive as they contain weaponized PDF attachments.

Exploitation of Windows Search Protocols for Malware Deployment

The malicious PDFs include URLs directing to compromised websites that manipulate the "search-ms:" URI protocol handler and the "search:" application protocol within Windows. These features are designed to facilitate local searches on a device and to invoke the desktop search application, respectively. However, in this nefarious context, they lead victims to perform searches on attacker-controlled servers, presenting malware in the guise of PDF files via Windows Explorer. Victims are then coaxed into downloading and executing these files.

Compromised Infrastructure and Malware Deployment

The attack infrastructure relies on WebDAV servers, likely situated on compromised Ubiquiti routers previously linked to a botnet allegedly dismantled by U.S. authorities last month, as reported by The Hacker News. Although the specific targets of these attacks have not been disclosed, the countries of the impersonated government and NGO entities include Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S., suggesting a widespread geographical impact.

The malware variants identified in these attacks, namely MASEPIE, OCEANMAP, and STEELHOOK, are equipped to steal files, execute commands remotely, and pilfer browser data. The adaptability and evolving nature of ITG05's tactics underscore a continuous threat landscape, as noted by IBM's X-Force. The group's ability to modify its attack methodologies and leverage available commercial infrastructure while enhancing its malware capabilities poses a significant challenge to cybersecurity defenses worldwide.

At Peris.ai Cybersecurity, we emphasize the importance of vigilance and advanced protective measures against such sophisticated cyber threats. Staying informed about the latest cyberattack strategies is crucial for safeguarding sensitive information and maintaining digital security.

There are only 2 type of companies:
Those that have been hacked, and
those who don't yet know they have been hacked.
Protect Your Valuable Organization's IT Assets & Infrastructure NOW
Request a Demo
See how it works and be amaze.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Interested in becoming our partner?
BECOME A PARTNER