OCEANMAP

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
OceanMap is a C#-based malware used by APT28, a Russia-linked group, as part of a sophisticated cyber attack campaign that started in 2020. The malware is designed to execute base64-encoded commands via cmd.exe, providing persistent and remote access to the targeted endpoint. Once a command is executed, OceanMap stores the results in the inbox directory, allowing APT28 to clandestinely monitor the attack and adjust its strategy accordingly. The APT28 group has targeted Ukrainian government entities and Polish organizations using phishing messages to deploy bespoke implants and information stealers such as MASEPIE, OCEANMAP, and STEELHOOK. In their latest campaign, they have used previously undetected malware like OCEANMAP to steal sensitive information from target networks. They also used it to upload data-stealing malware called Steelhook, which targets web browsers, and a backdoor called Oceanmap, which leverages email software. The Computer Emergency Response Team of Ukraine (CERT-UA) issued a warning about this new phishing campaign. One of the files downloaded to infected machines during these attacks is "Oceanmap," a tool for command execution via the Internet Message Access Protocol (IMAP). The original variant of OceanMap had information-stealing functionality, but this has since been transferred to another payload named "Steelhook," associated with the same campaign. This shift in tactics demonstrates the evolving nature of the threat posed by APT28.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Steelhook
3
Steelhook is a malicious PowerShell script used by the Russia-linked Advanced Persistent Threat group, APT28, to steal sensitive information from compromised systems. The malware was discovered as part of a phishing campaign orchestrated by APT28, as reported by the Computer Emergency Response Team
Masepie
3
MASEPIE is a malicious software (malware) first discovered in December 2023, which is capable of establishing persistence on Windows machines and executing arbitrary commands. It is described as a small Python backdoor that enables the downloading and uploading of files. When victims click to view l
Credomap
1
CredoMap is a type of malware, malicious software designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, disrupt operations, or even
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Payload
Reconnaissance
Openssh
Lateral Move...
Phishing
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT28Unspecified
2
APT28, also known as Fancy Bear, is a threat actor believed to be linked to the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This group has been implicated in several high-profile cyber-espionage activities. Notably, they were behind a large-scale malwar
Itg05Unspecified
1
ITG05, also known by various aliases including APT28, Fancy Bear, and Forest Blizzard, is a sophisticated malware that has been targeting non-governmental organizations (NGOs) through phishing lures. This harmful software, designed to exploit and damage computer systems, infects systems primarily th
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the OCEANMAP Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
6 months ago
Cyber Security Week In Review: December 29, 2023
BankInfoSecurity
6 months ago
Russian Military Intelligence Blamed for Blitzkrieg Hacks
CERT-EU
6 months ago
New malware found in analysis of Russian hacks on Ukraine, Poland | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Securityaffairs
6 months ago
Russia's APT28 used new malware in a recent phishing campaign
CERT-EU
6 months ago
CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK
DARKReading
4 months ago
Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks
CERT-EU
4 months ago
APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting