According to a report of Ukraine's Computer Emergency Response Team (UA-CERT) published on December 28, 2023, the Russian state-sponsored advanced persistent threat actor APT28 (a.k.a. "Fancy Bear") has been deploying novel malware in its long term espionage campaign targeting Ukraine alongside NATO countries as well as a number of non-NATO countries (Jordan and United Arab Emirates).
The events reported on December 28 occurred earlier between December 15 and 25. There were already reports of APT28 being actively engaged in exploitation of CVE-2023-23397 - a Microsoft Outlook critical vulnerability - to obtain foothold on the targeted network.
According to the report, the UA-CERT observed the following infection chain:
Delivery takes place via phishing emails containing a malicious link directing victims to an attacker-controlled web resource where a malicious JavaScript runs. The latter downloads a shortcut file (LNK) which, in turn, is responsible to launch PowerShell and execute commands that download a Python-based malware dubbed "MASEPIE"
MASEPIE writes to the registry a link shortcut ("SystemUpdate.lnk"), which enables persistence. The novel MASEPIE malware serves as an access broker for downloading further malware.
Additional malware that has been observed in these events includes the following:
STEELHOOK - a PowerShell script with capability to compromise Chrome browser data. STEELHOOK is likely to serve the purpose to compromise credentials and sensitive information which may be used in further attacks.
OCEANMAP - a backdoor which abuses IMAP protocol to create draft emails that store commands that are executed via cmd.exe.
Tooling for network reconnaissance and lateral movement such as IMPACKET and SMBEXEC.
Earlier this year, in September 2023, ART28 targeted a critical energy infrastructure facility in Ukraine. Additionally, in July 2023, CERT-UA detected another cyber attack aimed at stealing the data of Ukrainians to gain unauthorized access to postal services.