Hackers Use Compromised Routers to Attack Government Organizations

Attackers continue to use compromised routers as malicious infrastructure to target government organizations in Europe and the Caucasus region.

APT28 threat actors (also known as Sofacy, Fancy Bear, etc.) were behind this malicious espionage effort, according to the Ukrainian government’s computer emergency and incident response team (CERT-UA).

By tricking users into visiting a remote HTML page and opening a Windows shortcut, the malicious campaign used spear-phishing to distribute credential stealer (STEELHOOK), remote execution tools (MASEPIE, OCEANMAP), and a publicly accessible reconnaissance and credentials harvesting tool (Impacket).

“We believe with high confidence that the malicious infrastructure leveraged in this campaign is notably (and likely mainly) built from legitimate compromised Ubiquiti network devices,” HarfangLab shared with Cyber Security News.

How is the Attack Executed?

The threat actor delivered phishing emails to the designated individuals using previously hacked email accounts. The links in the phishing emails led to malicious webpages that tricked the targets into clicking a button to display a document by showing them a blurry preview.

The following titles were shown in the documents’ images that may be obtained from such malicious websites:

• Official Information of Azerbaijan Defense Ministry;
• Holidays and Observances in Ukraine 2024;
• KFP.311.152.2023 (from “Pañstwowe Gospodarstwo Wodne Wody Polskie,” the Polish national water administration);
• “Рекомендації робочих груп експертів до Стратегії освіти і науки України” (in Ukrainian, can be approximately translated to “Recommendations of experts working group about the education and science strategy of Ukraine).

The targets were shown a legitimate Windows Explorer window after clicking on a link in a phishing email and landing page. This window often included an LNK file that was disguised as a document (by utilizing a document icon and a double-extension).

If the target clicked on the displayed LNK, a malicious payload script (MASEPIE) and a Python interpreter would download and run, displaying a fake document.

A malicious Python script called MASEPIE allows for basic remote command execution and file sharing with compromised systems. It is first launched upon the click of a malicious LNK in the infection chain.

ONCEANMAP is a malicious C#.NET program that uses email as a C2 channel. It enables remote command execution on targeted computers. Researchers are unable to establish a connection between OCEANMAP and the mentioned campaign. It is believed, therefore, that a binary like this would have been used as a second stage of a MASEPIE infection.

It is discovered that Ubiquiti network devices are being utilized as reverse proxies, command and control servers, and malicious infrastructure to stage infection files.

Researchers conclude with medium to high confidence that this campaign is being carried out to further Russian goals, while non-state and/or non-Russian groups may still be in charge.