A newly identified cyber attack campaign, codenamed “Steal-It” by Zscaler ThreatLabz, is utilizing a PowerShell script associated with a legitimate red teaming tool to steal NTLMv2 hashes from compromised Windows systems.
Furthermore, the campaign primarily targets systems in Australia, Poland, and Belgium and employs multiple infection chains, all starting with phishing emails containing ZIP archives. These chains include an NTLMv2 hash stealing infection chain, a system info stealing chain targeting Australian users, a Fansly whoami chain enticing Polish users, and a Windows update chain aimed at Belgian users.
The attackers, believed to possess significant technical expertise, use customized versions of the Nishang PowerShell script for their operations. Additionally, they exfiltrate stolen NTLMv2 hashes using Mockbin APIs, enhancing their ability to evade detection. One notable aspect of the campaign is its resemblance to tactics previously associated with the Russian state-sponsored threat actor APT28.
In one case, the Computer Emergency Response Team of Ukraine (CERT-UA) highlighted a similar attack sequence in May 2023 as part of an APT28 campaign against Ukrainian government institutions, raising the possibility of a connection between the two. The attackers’ persistence and adaptability underscore their dedication to maintaining prolonged access to compromised systems.
