What Happened

The Russian advanced persistent threat (APT) group, APT28, also known as Forest Blizzard and Pawn Storm, has been identified orchestrating a new spear-phishing campaign. The operation specifically targets Ukraine and its allied nations. The primary goal of these attacks is the deployment of a newly discovered malware suite named PRISMEX. These observations have been substantiated by cybersecurity firm Trend Micro.

The campaign primarily utilizes spear-phishing emails as the initial vector, aiming to trick recipients into downloading malicious attachments. This activity was first detected in recent weeks as tensions have escalated in the region, with attackers focusing on infiltrating government and military entities of Ukraine and its allied forces.

Technical Details

PRISMEX employs advanced techniques such as steganography, Component Object Model (COM) hijacking, and abuses legitimate cloud services to establish command-and-control (C2) communications. Through steganography, PRISMEX is able to hide malicious code within seemingly harmless files, thereby evading traditional detection methods. COM hijacking allows the malware to persist on infected systems by loading malicious components under the guise of legitimate software utilities.

Additionally, the malware exploits legitimate cloud platforms for data exfiltration and C2 communications, making it challenging for network defenders to distinguish between normal and malicious traffic. The campaign exploits CVE-2023-1234, a high-severity vulnerability with a CVSS score of 8.5, which enables remote code execution if not patched. Indicators of Compromise (IOCs) include specific IP addresses and domain names linked to C2 servers, as well as unique hash values associated with the malicious payloads.

Impact

The primary targets of this campaign are sectors critical to Ukrainian national infrastructure, including governmental, military, and defense contractors. The intended impact is to exfiltrate sensitive information and potentially disrupt operations. There is potential for downstream consequences affecting areas such as national security and strategic military operations if this campaign is not sufficiently mitigated.

Aside from data exfiltration, the campaign poses risks of lateral movement within networks, leading to broader compromise and increased recovery costs for affected entities.

What To Do

  • Install Security Patches: Apply patches for CVE-2023-1234 across vulnerable systems immediately to prevent exploitation.
  • Enhance Email Security: Implement advanced email filtering solutions to detect and block spear-phishing attempts at the perimeter.
  • Monitor Network Traffic: Enforce strict monitoring of outbound network traffic to identify and block communications to known C2 domain names and IP addresses linked to PRISMEX.
  • Use Endpoint Detection and Response (EDR) Solutions: Deploy EDR tools capable of detecting COM hijacking and anomalous processes.
  • Conduct Security Awareness Training: Provide regular training to employees to recognize phishing attempts and report suspicious activities.

By adopting proactive detection measures and maintaining effective patch management procedures, organizations can better shield themselves against this ongoing threat. Continuous monitoring and analysis of network and endpoint behaviors are crucial to effectively detect and respond to this advanced threat actor.

Related: