iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Security researchers have uncovered an ongoing campaign orchestrated by a Russian-backed threat actor looking to exfiltrate data from targets in Australia, Poland, and Belgium.
Zscaler’s ThreatLabz is calling the campaign Steal-It, which is a much more sanitised version of what the campaign may have been called, given the lures used by the threat actor.
Like many such campaigns, the infection chain begins with enticing a victim to open what appears to be an innocuous .zip archive, but which hides a malicious shortcut file. The .lnk file downloads and executes a customised version of a pen-testing PowerShell script – Nishang’s Start-CaptureServer.ps1 – which is designed to capture NTLMv2 hashes.
NTLMv2 hashes are used for authentication in Windows and are susceptible to dictionary and brute force attacks.
The original PowerShell is modified to remove comments, any detectable strings, and authentication capacity, making the PowerShell able to avoid detection. The PowerShell then uses another testing tool, MockBin, to exfiltrate the collected data.
What appears to make the campaign particularly effective is the initial lure, however – and there are multiple versions using multiple lures.
One lure is a .zip archive creatively called “best_tits.zip”, which contains a .lnk file called onlyfans.com-1.lnk. This version of the campaign actively targets users with the AU country code. Only if the target system is in Australia and running Windows does the infection chain trigger.
Another similar version of the campaign uses the promise of pornography to trick victims into triggering the infection chain. This one targets machines in Poland using a malicious archive called fansly.zip – Fansly is a site similar to OnlyFans – to entice its victims.
However, the campaign targeting Belgian machines does away with using porn to trick its victims. What that says about the threat actor’s views on Belgium, we can only guess.
Zscaler is reasonably certain the threat actor behind the campaign is the GRU-linked APT28, also known as Fancy Bear. The Steal-It operator’s observed techniques, tactics, and procedures match Fancy Bear’s, as does its technical aptitude.
“Zscaler ThreatLabz’s analysis of the stealing campaign named as ‘The Steal-It Campaign’ indicates their targeted geofencing strategy and sophisticated tactics,” ThreatLabz said in a blog post.
“For example, the threat actors’ custom PowerShell scripts and strategic use of LNK files within zip archives highlight their technical expertise.”
The victimology of this campaign is particularly impressive – who is going to want to admit to their CISO that they’ve been downloading porn during work time?
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
