Get all your news in one place.

100’s of premium titles.
One app.

Get all your news in one place.

100’s of premium titles. One news app.

TechRadar

Sead Fadilpašić

Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack

Microsoft Windows X (Organization) United States The Hacker News

A white padlock on a dark digital background.

The infamous Russian hacking collective, known as APT28, is now using a legitimate Microsoft Windows feature to deploy infostealers and other malware to their victims.

A new paper from IBM’s cybersecurity arm, X-Force claims the campaign has been active between November last year, and February this year.

As per the report, the attackers (also known as Fancy Bear, Forest Blizzard, or ITG05) are impersonating government and NGO organizations in Europe, South Caucasus, Central Asia, and North and South America, reaching out to their victims via email. The emails contain weaponized PDF files.

Stealing sensitive information

The PDFs come with URLs that lead to compromised websites, which can abuse the “search-ms:” URI protocol handler, as well as the “search:” application protocol. The handler allows apps and HTML links to launch custom local searches on a device, whale the protocol serves as a mechanism for calling the desktop search application on Windows.

As a result, the victims end up performing searches on an attacker-controlled server, and coming up with malware displayed in Windows Explorer. This malware is disguised as a PDF file, which the victims are invited to download and run.

The malware is hosted on WebDAV servers which themselves are most likely hosted on compromised Ubiquiti routers. These routers were part of a botnet what was apparently taken down by the U.S. government last month, The Hacker News reports.

We don’t know who the victims are, but it’s safe to assume they’re from the same countries as the government and NGO agencies being impersonated in the attacks: Argentina, Ukraine, Georgia, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the U.S.

Those that fall for the trick end up installing MASEPIE, OCEANMAP, and STEELHOOK, malware designed to exfiltrate files, run arbitrary commands, and steal browser data. "ITG05 remains adaptable to changes in opportunity by delivering new infection methodologies and leveraging commercially available infrastructure, while consistently evolving malware capabilities," the researchers concluded.

Via The Hacker News

More from TechRadar Pro

Russian hackers are exploiting edge routers to launch major new cyberattacks
Here's a list of the best firewalls around today
These are the best endpoint security tools right now

Sign up to read this article

Read news from 100’s of titles, curated specifically for you.

Already a member? Sign in here

Top stories on inkl right now

Matthew Perry’s doctor pleads guilty in connection to Friends star’s fatal drug overdose

Matthew Perry’s doctor pleads guilty in connection to Friends star’s fatal drug overdose

Dr Mark Chavez, of San Diego, entered the guilty plea on Wednesday in a federal court in Los Angeles

The Independent UK

TfL has 'no proposals' to widen Clapham Tube platforms despite safety concerns

TfL has 'no proposals' to widen Clapham Tube platforms despite safety concerns

The platforms are just 3.7 metres wide - but TfL has concluded that widening them would consume too much time and money

Evening Standard

Human remains that were a mystery for 47 years now identified as victim of America’s worst serial killer

Human remains that were a mystery for 47 years now identified as victim of America’s worst serial killer

Leola Etta Bryant was last seen in 1974 at a South Carolina bar where Samuel Little later confessed to meeting the woman before killing her

The Independent UK

Hurricane Helene leaves thousands without clean water in its wake

Hurricane Helene leaves thousands without clean water in its wake

Damage to sewage systems and pipes means widespread boil water notices and conservation orders could last weeks

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

Mark Robinson skipped vote to declare Hurricane Helene a state of emergency

Mark Robinson skipped vote to declare Hurricane Helene a state of emergency

North Carolina lieutenant governor who’s been criticized for alleged explicit posts was the only member to not vote

The Guardian - US

Republicans vexed as Senate challengers fall behind Trump in polls

Republicans vexed as Senate challengers fall behind Trump in polls

GOP lawmakers had reportedly told donors weeks ago that Senate was all but guaranteed for them

The Guardian - US

Related Stories

Top stories on inkl right now

Matthew Perry’s doctor pleads guilty in connection to Friends star’s fatal drug overdose

Matthew Perry’s doctor pleads guilty in connection to Friends star’s fatal drug overdose

Dr Mark Chavez, of San Diego, entered the guilty plea on Wednesday in a federal court in Los Angeles

The Independent UK

TfL has 'no proposals' to widen Clapham Tube platforms despite safety concerns

TfL has 'no proposals' to widen Clapham Tube platforms despite safety concerns

The platforms are just 3.7 metres wide - but TfL has concluded that widening them would consume too much time and money

Evening Standard

Human remains that were a mystery for 47 years now identified as victim of America’s worst serial killer

Human remains that were a mystery for 47 years now identified as victim of America’s worst serial killer

Leola Etta Bryant was last seen in 1974 at a South Carolina bar where Samuel Little later confessed to meeting the woman before killing her

The Independent UK

Hurricane Helene leaves thousands without clean water in its wake

Hurricane Helene leaves thousands without clean water in its wake

Damage to sewage systems and pipes means widespread boil water notices and conservation orders could last weeks

The Guardian - US

One subscription that gives you access to news from hundreds of sites

Already a member? Sign in here

Mark Robinson skipped vote to declare Hurricane Helene a state of emergency

Mark Robinson skipped vote to declare Hurricane Helene a state of emergency

North Carolina lieutenant governor who’s been criticized for alleged explicit posts was the only member to not vote

The Guardian - US

Republicans vexed as Senate challengers fall behind Trump in polls

Republicans vexed as Senate challengers fall behind Trump in polls

GOP lawmakers had reportedly told donors weeks ago that Senate was all but guaranteed for them

The Guardian - US

Our Picks

You can own one of Tom Brady’s watches—if you’re willing to shell out up to $800,000

The seven-time Super Bowl–winning quarterback's Sotheby’s auction begins in December.

From "Orphan X" to AI

Despite advancements in AI, authentic connection through shared narratives is what truly resonates with readers

Google’s AI podcast hosts have existential crisis when they find out they’re not real

Google's NotebookLM recently had to deal with finding out it was an AI. Here's what happened.

Unflappable Chanel in no hurry to find new designer amid continuity in Paris

Label doubles down on house codes as empty birdcage signals its last creative director – Virginie Viard – has flown

The Guardian - UK

The role alcohol plays in new cancer cases – landmark new report

A little bit of alcohol was once thought to be good for you. However, as scientific research advances, we’re gaining a clearer picture of alcohol’s effect on health – especially regarding cancer.

The Conversation

‘There Is No Cat In This Image’: This X Account Collects Pictures Of Very Well-Hidden Cats (101 New Pics)

"What was I thinking, a single woman with no children living in a big house on 6 acres?" she thought at the time. So she filled the property with hundreds of rescued cats. And proclaimed herself a "crazy cat lady". The post ‘There Is No Cat In This Image’: This…

Fourteen days free

Download the app

One app. One membership.
100+ trusted global sources.

Download on the AppStore

Get it on Google Play