Masepie

Malware updated 10 months ago (2024-11-29T13:36:26.750Z)

Download STIX

Preview STIX

MASEPIE is a malicious software (malware) first discovered in December 2023, which is capable of establishing persistence on Windows machines and executing arbitrary commands. It is described as a small Python backdoor that enables the downloading and uploading of files. When victims click to view lure documents on attacker-controlled sites, they download this backdoor. One of the files MASEPIE downloads to infected machines is "Oceanmap," a C#-based tool for command execution via the Internet Message Access Protocol (IMAP). Another payload associated with this campaign is "Steelhook," which has information-stealing functionality. The malware was directed by a botnet based on compromised Ubiquiti routers, evidence suggests that both the WebDAV servers and the MASEPIE C2 servers may have been hosted on these compromised routers. This botnet was taken down by the U.S. government in early 2024. Advanced Persistent Threat group APT28 targeted Ukrainian government entities and Polish organizations using phishing messages designed to deploy bespoke implants and information stealers like MASEPIE, OCEANMAP, and STEELHOOK. APT28’s elaborate scheme ends with the execution of MASEPIE, OCEANMAP, and STEELHOOK, which are designed to exfiltrate files, run arbitrary commands, and steal browser data. In an update to their methodologies, ITG05 is utilizing the freely available hosting provider, firstcloudit[.]com to stage payloads to enable ongoing operations. The cybersecurity researchers Joe Fasulo, Claire Zaboeva, and Golo Mühr have been closely following and analyzing these developments.

Description last updated: 2024-05-04T17:49:37.009Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
OCEANMAP is a possible alias for Masepie. OceanMap is a C#-based malware used by APT28, a Russia-linked group, as part of a sophisticated cyber attack campaign that started in 2020. The malware is designed to execute base64-encoded commands via cmd.exe, providing persistent and remote access to the targeted endpoint. Once a command is execu	4
Steelhook is a possible alias for Masepie. Steelhook is a malicious PowerShell script used by the Russia-linked Advanced Persistent Threat group, APT28, to steal sensitive information from compromised systems. The malware was discovered as part of a phishing campaign orchestrated by APT28, as reported by the Computer Emergency Response Team	4

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Windows

Malware

Decoy

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Masepie. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influ	Unspecified	2

Source Document References

Information about the Masepie Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Recorded Future	a month ago	A Framework for Understanding and Anticipating Vladimir Putin’s Foreign Policy Actions
Securityaffairs	5 months ago	Russia-linked APT28 targets western logistics entities and technology firms
CISA	5 months ago	Russian GRU Targeting Western Logistics Entities and Technology Companies \| CISA
CERT-EU	2 years ago	Russian hackers unleash sophisticated phishing campaigns across the globe
CERT-EU	2 years ago	FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation
CERT-EU	2 years ago	Cybersecurity Agencies Warn Ubiquiti EdgeRouter Users of APT28's MooBot Threat \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	2 years ago	Russia-linked APT28 compromised Ubiquiti EdgeRouters to facilitate cyber operations
CERT-EU	2 years ago	Cyber Security Week In Review: December 29, 2023
BankInfoSecurity	2 years ago	Russian Military Intelligence Blamed for Blitzkrieg Hacks
CERT-EU	2 years ago	New malware found in analysis of Russian hacks on Ukraine, Poland \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	2 years ago	Russia's APT28 used new malware in a recent phishing campaign
CERT-EU	2 years ago	CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK
CERT-EU	2 years ago	Ubiquiti owners warned Moscow may build another botnet
CERT-EU	2 years ago	APT28 is recruiting Ubiquiti EdgeRouters into botnets
DARKReading	2 years ago	Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks
CERT-EU	2 years ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting