Ukraine is currently facing a new cyberattack approach orchestrated by Russian military intelligence (GRU) linked hackers, with a specific focus on local government entities. The Computer Emergency Response Team of Ukraine (CERT-UA) recently unveiled an advanced phishing campaign carried out by the Russian GRU-linked APT28, also known as “Fancy Bear.” This campaign introduces a unique strategy where attackers entice recipients to execute malicious PowerShell commands directly from their clipboard, a method that requires minimal engagement from the victim.
The emails identified by CERT-UA were discovered circulating within local government offices under the subject line “Table Replacement.” Instead of conventional attachments, these emails contain a link that closely resembles a Google spreadsheet, aiming to deceive recipients. Upon clicking the link, users are met with an imitation of Google’s reCAPTCHA, a familiar sight for internet users designed to prevent automated bots. However, unlike the genuine reCAPTCHA process, this deceptive version performs a hidden action – it copies a malicious PowerShell command onto the user’s clipboard.
Subsequently, recipients are directed to execute the command by pressing “Win+R,” which opens the command prompt, followed by “Ctrl+V” to paste the command, and ultimately “Enter” to initiate it. Once executed, the payload is activated, consequently compromising the system. This intricate tactic employed by APT28 underscores their adeptness at exploiting routine actions in everyday tasks to obscure their malicious intentions. By leveraging common user behaviors and trust in seemingly innocuous prompts such as bot verification, attackers manage to conceal their underlying scheme effectively.
Furthermore, the analysis conducted by CERT-UA unveils that the command sets off a sequence of downloading and executing operations. It triggers the launch of “browser.hta,” a malicious HTML application, which then executes “Browser.ps1,” a PowerShell script devised to extract data from prominent web browsers including Chrome, Edge, Opera, and Firefox. Additionally, the script employs an SSH tunnel for data exfiltration, enabling stolen credentials and other sensitive information to be transferred directly to the attackers. Of particular concern is the script’s ability to download and run the Metasploit framework, a tool widely used in penetration testing but increasingly favored by threat actors.
This recent cyberattack represents an extension of APT28’s arsenal of sophisticated techniques targeting Ukrainian entities. In a report issued by CERT-UA in September, the group utilized a Roundcube email vulnerability (CVE-2023-43770) to redirect email data, showcasing their evolving and expansive approach to cyber operations. Exploiting this vulnerability allowed the attackers to insert a filter that automatically forwarded emails to an address controlled by the threat actors. During this incident, CERT-UA identified at least ten compromised government email accounts that were leveraged to transmit further exploits to Ukrainian defense contacts.
In both instances, APT28 operated through a compromised server, mail.zhblz[.]com, for control purposes. The IP associated with this server (203.161.50[.]145) has been linked to previous campaigns, indicating APT28’s adaptive operational infrastructure aimed at evading detection while ensuring consistent capabilities across successive attacks. Given the persistent threat posed by APT28, CERT-UA has advised government agencies to remain vigilant against increasingly targeted spear-phishing campaigns designed to exploit user trust and routine tasks.
In an effort to bolster cybersecurity defenses and preempt potential attacks, CERT-UA has shared a list of Indicators of Compromise (IoC). These IoCs offer essential information such as file hashes, network indicators, and host locations associated with the recent cyber incidents. By vigilantly monitoring and responding to these IoCs, organizations can enhance their threat detection capabilities and mitigate potential risks posed by sophisticated threat actors like APT28.
With the threat landscape evolving and cyber threats becoming increasingly sophisticated, it is imperative for organizations to prioritize cybersecurity measures and remain proactive in safeguarding their digital assets and sensitive information. By staying abreast of emerging cyber threats and adopting robust security practices, entities can effectively defend against malicious activities and safeguard their operations from cyber adversaries.