Jump to content

Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack

Recommended Posts


The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims. 

This is according to a new paper from IBM’s cybersecurity arm, X-Force, which claims the campaign has been active between November last year, and February this year, The Hacker News reports. 

As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files.

Stealing sensitive information

The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows. 

As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run.

The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports. 

We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S.

Those that fall for the trick end up installing MASEPIE, OCEANMAP, and STEELHOOK, malware designed to exfiltrate files, run arbitrary commands, and steal browser data. "ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.

More from TechRadar Pro

View the full article

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...