Date: 09/04/2024
Severity: Medium
Summary
APT28’s OCEANMAP backdoor is a sophisticated piece of malware used by tde Russian cyber espionage group APT28 (also known as Sofacy or Fancy Bear). Identified initially by CERT-UA, OCEANMAP enables attackers to gain remote control over infected systems, allowing tdem to steal data and perform espionage activities. tdis backdoor is part of APT28's broader toolkit for conducting cyber operations and gatdering intelligence.
Indicators of Compromise (IOC) List
URL/Domain | webmail.facadesolutionsuae.com |
IP Address | 74.124.219.71 |
Hash | 24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04 |
Process | taskkill /F /PID <PID> cmd.exe /c dir |
Filename | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EdgeContext.url |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
URL/Domain | userdomainname like "webmail.facadesolutionsuae.com" or url like "webmail.facadesolutionsuae.com" |
IP Address | dstipaddress IN ("74.124.219.71") or ipaddress IN ("74.124.219.71") or publicipaddress IN ("74.124.219.71") or srcipaddress IN ("74.124.219.71") |
Hash |
sha256hash IN ("24fd571600dcc00bf2bb8577c7e4fd67275f7d19d852b909395bebcbb1274e04") |
Detection Query 1 | resourcename in ("Windows Security" ) AND eventtype in ("4689" ) AND processnames in ("taskkill /F /PID <PID>","cmd.exe /c dir") |
Detection Query 2 | Technologygroup = "EDR" AND eventtype in ("4689" ) AND processnames in ("taskkill /F /PID <PID>","cmd.exe /c dir") |
Detection Query 3 | (resourcename in ("Sysmon") AND eventtype = "11") AND targetfilename = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EdgeContext.url" |
Detection Query 4 | (Technologygroup = "EDR" ) AND targetfilename = "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\EdgeContext.url" |
Reference:
https://gurucul.com/blog/apt28s-oceanmap-backdoor/#indicators-of-compromise