Skip to content Skip to footer

APT28 Phishing Campaigns Targeting Government Organizations in Europe and the Americas

APT28, a notorious advanced persistent threat group, has been identified as the perpetrator of multiple ongoing campaigns targeting government and non-governmental organizations across various regions globally. This group is also known by several aliases, including Blue Athena, BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, Pawn Storm, Sednit, Sofacy, TA422, and UAC-028.

IBM X-Force has been closely monitoring this activity under the codename ITG05. Its research team has found that the group uses a range of lure documents that impersonate various organizations and industries, such as finance, critical infrastructure, executive engagements, , maritime security, healthcare, business, and defense industrial production, to lure victims into downloading .

The group's latest campaigns have been observed between late November 2023 and February 2024. The group has used the “search-ms:” URI protocol handler in Microsoft to trick victims into downloading hosted on actor-controlled WebDAV servers. These and MASEPIE C2 servers may be hosted on compromised Ubiquiti routers. It is worth noting that the U.S. government recently took down a of these routers.

APT28 attacks impersonate entities from several countries, including Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S. The group has utilized a mix of authentic publicly available government and non-government lure documents to activate the infection chains. Furthermore, the group has updated its methodologies, using the freely available provider firstcloudit[.]com to stage payloads and enable ongoing operations.

The final stage of the attack involves the execution of such as MASEPIE, OCEANMAP, and STEELHOOK, designed to exfiltrate files, run arbitrary commands, and steal browser data. Notably, OCEANMAP is a more capable version of CredoMap, another backdoor previously used by APT28.

Despite efforts to take down its infrastructure and adapt to changes in opportunity, APT28 remains a persistent and adaptable threat, using commercially available infrastructure and tactics to continue its operations. Organizations need to stay vigilant and take necessary steps to protect their networks from such threats.

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

Who, me? Are you kidding? No, I run out to check on T-bill rates, I get outta breath. Hey, look, you guys are gonna make my user, Mr. Henderson, very angry. He's a full-branch manager.Crom

Deitasoft © 2024. All Rights Reserved.