APT28 Cyberattack: Msedge as a Bootloader, TOR, and Mockbin[.]org/Website[.]hook Services as a Control Center

Cyber Security Threat Summary:
The government computer emergency response team of Ukraine, CERT-UA, recorded a targeted cyber attack against a critical energy infrastructure facility in Ukraine. To implement the malicious plan, an e-mail message with a fake sender address and a link to an archive, for example, "photo.zip", was distributed. Visiting the link will download a ZIP archive containing three JPG images (decoys) and a BAT file "weblinks.cmd" to the victim's computer. Running the CMD file will open several decoy web pages, create ".bat" and ".vbs" files, and launch a VBS file that will in turn execute the BAT file. This will cause the URL to be accessed using Microsoft Edge in "headless" mode, resulting in a ".css" file being created on the computer in the "%USERPROFILE%\Downloads" directory, which will then be moved to the " %PROGRAMDATA%" with extension ".cmd", executed and deleted.

During the research, a CMD file designed to execute the "whoami" command and transmit the result using an HTTP GET request executed using the Microsoft Edge program in "headless" mode was downloaded to the computer. In the process of controlled emulation of the damage, it was additionally found out that the TOR program will be downloaded from the file[.]io file service on the victim's computer and "hidden" services will be created, designed to redirect information flows through the TOR network to the appropriate hosts of the local computer network, in particular, the controller domain (ports: 445, 389, 3389) and mail server (ports: 443, 445, 3389). In addition, a PowerShell script was used to obtain the hash of the account's password, which opens a socket and initiates an SMB connection to it using the "net use" command.

At the same time, remote execution of commands is implemented using "curl" through the API of the legitimate webhook.site service; persistence is ensured by creating scheduled tasks to run a VBS script with a BAT file as an argument. By restricting access to the web resources of the Mockbin service (mockbin[.]org, mocky[.]io) and blocking the launch of Windows Script Host (in particular, "wscript.exe") on the computer, the responsible employee of the mentioned critical energy infrastructure object managed to prevent a cyber attack. Note that in the context of detection and countermeasures, it is also advisable to pay attention to running "curl" and "msedge" with the "--headless=new" option.

It is obvious that in order to bypass protection means, attackers continue to use the functionality of regular programs (so-called LOLBAS - Living Off The Land Binaries, Scripts and Libraries), and to create a control channel, they abuse the corresponding services. The described activity is carried out by the APT28 group. At the same time, one of the first cases of using the Mockbin service was recorded in April 2023.

Security Officer Comments:
The analysis provides a detailed account of a sophisticated cyberattack by the APT28 group against a critical energy infrastructure facility. It highlights the attackers' use of various techniques, including email phishing, malware execution, TOR, and abuse of legitimate services, underscoring the ongoing challenges in cybersecurity and the need for vigilance in detecting and mitigating such threats.

Suggested Correction(s):
Users should always be cautious of individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers. If in doubt, users should verify with the company itself to avoid any potential issues.

Users should always take a close look at the sender’s display name when checking the legitimacy of an email. Most companies use a single domain for their URLs and emails, so a message that originates from a different domain is a red flag.

As a general rule, users should not click links or download files even if they come from seemingly “trustworthy” sources.

Check for mismatched URLs. While an embedded URL might seem perfectly valid, hovering above it might show a different web address. In fact, users should avoid clicking links in emails unless they are certain that it is a legitimate link.

Users should always be on the lookout for any grammatical errors and spelling mistakes. Legitimate companies will often employ proofreaders and editors who ensure that the materials they send out are error-free.

Users should not be frightened or intimidated by messages that have an alarmist tone. They should double check with the company if they are uncertain about the status of their accounts.

Phishing emails are designed to be sent to a large number of people, so they need to be as impersonal as possible. Users should check whether the message contains a generic subject and greeting, as this can be a sign of a phishing attempt.

Although not every end user has access to advanced anti-phishing software, they can still use the built-in protection of their email clients to filter messages. One example is setting the email client to block all images unless approved.

Legitimate companies will never send confirmation emails unless there are specific reasons for doing so. In fact, most companies will avoid sending unsolicited messages unless it’s for company updates, newsletters, or advertising purposes.

Users should always take the context of an email or message into account. For example, most online accounts do away with viewable member numbers, so users should be wary if they receive emails containing a “member number” for services that generally don’t use them.

It is important to take note of unusual information in the text of the message. Any mentions of operating systems and software that are not typically used by consumers can often be indicators of a phishing attempt.

If it seems suspicious, it probably is. Users should always err on the side of caution when it comes to sending out personally identifiable information through messages and emails.