Subj : Russian hacker group exploits Microsoft Windows feature in worldw
To   : All
From : TechnologyDaily
Date : Mon Mar 18 2024 12:15:06

Russian hacker group exploits Microsoft Windows feature in worldwide phishing 
attack

Date:
Mon, 18 Mar 2024 12:00:09 +0000

Description:
APT28 is back, impersonating NGOs from all over the world to deploy 
infostealers and other malware.

FULL STORY
======================================================================

The infamous Russian hacking collective, known as APT28, is now using a 
legitimate Microsoft Windows feature to deploy infostealers and other malware 
to their victims. 

This is according to a new paper from IBMs cybersecurity arm, X-Force, which 
claims the campaign has been active between November last year, and February 
this year, The Hacker News reports. 

As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, 
or ITG05) are impersonating government and NGO organizations in Europe, South 
Caucasus, Central Asia, and North and South America, reaching out to their 
victims via email. The emails contain weaponized PDF files. Stealing 
sensitive information 

The PDFs come with URLs that lead to compromised websites, which can abuse 
the search-ms: URI protocol handler, as well as the search: application 
protocol. The handler allows apps and HTML links to launch custom local 
searches on a device, whale the protocol serves as a mechanism for calling 
the desktop search application on Windows. 

As a result, the victims end up performing searches on an attacker-controlled 
server, and coming up with malware displayed in Windows Explorer. This 
malware is disguised as a PDF file, which the victims are invited to download 
and run. 

The malware is hosted on WebDAV servers which themselves are most likely 
hosted on compromised Ubiquiti routers. These routers were part of a botnet 
what was apparently taken down by the U.S. government last month, The Hacker 
News reports. 

We dont know who the victims are, but its safe to assume theyre from the same 
countries as the government and NGO agencies being impersonated in the 
attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, 
Azerbaijan, and the U.S. 

Those that fall for the trick end up installing MASEPIE, OCEANMAP, and 
STEELHOOK, malware designed to exfiltrate files, run arbitrary commands, and 
steal browser data. "ITG05 remains adaptable to changes in opportunity by 
delivering new infection methodologies and leveraging commercially available 
infrastructure, while consistently evolving malware capabilities," the 
researchers concluded. More from TechRadar Pro Russian hackers are exploiting 
edge routers to launch major new cyberattacks Here's a list of the best 
firewalls around today These are the best endpoint security tools right now



======================================================================
Link to news story:
https://www.techradar.com/pro/security/russian-hacker-group-exploits-microsoft
-windows-feature-in-worldwide-phishing-attack


--- Mystic BBS v1.12 A47 (Linux/64)
 * Origin: tqwNet Technology News (1337:1/100)

.