New malware found in analysis of Russian hacks on Ukraine, Poland

Avatar

Researchers have discovered a new cyber operation against Ukrainian and Polish organizations, attributing it to the Russian state-controlled hacker group known as Fancy Bear.

During the attacks in December, Russian hackers sent phishing emails to their victims with malicious attachments. Once opened, these attachments infected targeted devices with the novel Masepie malware, according to a report from Ukraine’s computer emergency response team (CERT-UA).

The malware, written in the Python programming language, can upload files and execute commands, researchers said. In the latest campaign, the hackers used it to upload data-stealing malware called Steelhook, which targets web browsers, and a backdoor called Oceanmap, which leverages email software.

After the initial compromise, hackers also integrate open-source tools like Impacket and Smbexec into the system to perform reconnaissance. These tools are commonly used in penetration testing and ethical hacking to understand and exploit network vulnerabilities. However, they could also be misused by hackers for malicious purposes.

Researchers said that the hackers’ goal in this campaign was not to infect just one computer but to expand the attack to the entire network of the organization.

In Ukraine, the group’s victims included unnamed government agencies. Poland’s cyber agency hasn’t responded to a request for comment.

In 2023 alone, Fancy Bear, also known as APT28, targeted Ukrainian energy facilities, government agencies, and the military. France also accused the hackers of spying on French universities, businesses and think tanks.

The group is linked to Russia’s military intelligence agency (GRU) and primarily attacks government, energy, transportation and nongovernmental organizations in the U.S., Europe, and the Middle East.

The hackers commonly exploit publicly available vulnerabilities such as Microsoft Outlook flaws or a popular file archiver utility for Windows called WinRAR.

Earlier in December, the Polish cybersecurity agency said that Fancy Bear exploited the Microsoft Outlook vulnerability to gain access to mailboxes containing “high-value information.”

Nation-stateGovernmentBriefsMalware
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk
is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Post

Cyberattack on Massachusetts hospital disrupted records system, emergency services

Next Post

After ransomware claims, Xerox says subsidiary hit with cyberattack

Related Posts

Mastodon Vulnerability Allows Hackers to Hijack Any Decentralized Account

The decentralized social network Mastodon has disclosed a critical security flaw that enables malicious actors to impersonate and take over any account. "Due to insufficient origin validation in all Mastodon, attackers can impersonate and take over any remote account," the maintainers said in a terse advisory. The vulnerability, tracked as CVE-2024-23832, has a severity rating of 9.4 out of
Avatar
Read More

OfflRouter Malware Evades Detection in Ukraine for Almost a Decade

Select Ukrainian government networks have remained infected with a malware called OfflRouter since 2015. Cisco Talos said its findings are based on an analysis of over 100 confidential documents that were infected with the VBA macro virus and uploaded to the VirusTotal malware scanning platform. "The documents contained VBA code to drop and run an executable with the name 'ctrlpanel.exe,'"
Avatar
Read More