Steelhook

Malware updated 7 months ago (2024-05-04T21:17:57.003Z)

Download STIX

Preview STIX

Steelhook is a malicious PowerShell script used by the Russia-linked Advanced Persistent Threat group, APT28, to steal sensitive information from compromised systems. The malware was discovered as part of a phishing campaign orchestrated by APT28, as reported by the Computer Emergency Response Team of Ukraine (CERT-UA) in December 2023. Once installed on a system, Steelhook can extract data from web browsers, including login credentials, authentication cookies, and browsing history. This data is then exported to an actor-controlled server in Base64-encoded format. Steelhook specifically targets Google Chrome and Microsoft Edge browsers. The APT28 group has been employing Steelhook along with other previously undetected malware, such as OCEANMAP and MASEPIE, to infiltrate and exfiltrate sensitive data from targeted networks. These include Ukrainian government entities and Polish organizations. The threat actors also utilized the MASEPIE malware to load and execute OPENSSH for building a tunnel, and the OCEANMAP backdoor. In this campaign, the hackers leveraged these tools to upload the data-stealing malware Steelhook and a backdoor called Oceanmap, which manipulates email software. In response to these threats, Recorded Future employed a technique that altered Steelhook, submitting the malware source code to an LLM system. This action likely disrupted the functionality of the malware within infected systems. However, the attacks have paved the way for the deployment of additional malicious software, further escalating the cyber threat landscape. It's crucial for organizations to remain vigilant against such sophisticated threats and ensure robust cybersecurity measures are in place.

Description last updated: 2024-05-04T20:49:59.152Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
OCEANMAP is a possible alias for Steelhook. OceanMap is a C#-based malware used by APT28, a Russia-linked group, as part of a sophisticated cyber attack campaign that started in 2020. The malware is designed to execute base64-encoded commands via cmd.exe, providing persistent and remote access to the targeted endpoint. Once a command is execu	3
Masepie is a possible alias for Steelhook. MASEPIE is a malicious software (malware) first discovered in December 2023, which is capable of establishing persistence on Windows machines and executing arbitrary commands. It is described as a small Python backdoor that enables the downloading and uploading of files. When victims click to view l	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Malware

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT28 Threat Actor is associated with Steelhook. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC)	Unspecified	2

Source Document References

Information about the Steelhook Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	8 months ago	Russian hackers unleash sophisticated phishing campaigns across the globe
BankInfoSecurity	a year ago	Russian Military Intelligence Blamed for Blitzkrieg Hacks
CERT-EU	a year ago	New malware found in analysis of Russian hacks on Ukraine, Poland \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
Securityaffairs	a year ago	Russia's APT28 used new malware in a recent phishing campaign
CERT-EU	a year ago	CERT-UA Uncovers New Malware Wave Distributing OCEANMAP, MASEPIE, STEELHOOK
BankInfoSecurity	8 months ago	Hackers Developing Malicious LLMs After WormGPT Falls Flat
DARKReading	8 months ago	Russian Intelligence Targets Victims Worldwide in Rapid-Fire Cyberattacks
CERT-EU	8 months ago	APT28 Hacker Group Targeting Europe, Americas, Asia in Widespread Phishing Scheme \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting
CERT-EU	8 months ago	Russian hacker group exploits Microsoft Windows feature in worldwide phishing attack \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #hacker \| National Cyber Security Consulting