MASEPIE Malware. Because One Malware Isn't Enough
In December 2023, APT28 actors developed MASEPIE, a small Python backdoor capable of executing arbitrary commands on victim machines. An FBI investigation revealed that on more than one occasion, APT28 used compromised Ubiquiti EdgeRouters as command-and-control (C2) infrastructure for MASEPIE backdoors deployed against targets.
Command-and-Control Infrastructure
While APT28 does not deploy MASEPIE on EdgeRouters themselves, the compromised routers have been used as C2 infrastructure to communicate with and control MASEPIE backdoors installed on systems belonging to targeted individuals and organizations.
The data sent to and from the EdgeRouters acting as C2 servers was encrypted using a randomly generated 16-character AES key, making it more difficult to detect and analyze the malicious traffic.
MASEPIE Backdoor Functionality
MASEPIE is a Python-based backdoor that allows APT28 actors to execute arbitrary commands on the infected systems. This backdoor provides the threat actors with a persistent foothold and remote control capabilities, enabling them to carry out various malicious activities, such as:
Data exfiltration
📌 Lateral movement within the compromised network
📌 Deployment of additional malware or tools
📌 Execution of reconnaissance and intelligence-gathering commands
Mitigation and Investigation
To mitigate the risk of MASEPIE backdoors and the use of compromised EdgeRouters as C2 infrastructure, network defenders and users should take the following steps:
📌 Implement endpoint protection: Deploy advanced endpoint protection solutions capable of detecting and preventing the execution of MASEPIE and other malicious Python scripts or backdoors.
📌 Monitor network traffic: Closely monitor network traffic for any suspicious encrypted communications or connections to known APT28 infrastructure, including compromised EdgeRouters.
📌 Analyze network logs: Review network logs for any indications of encrypted communications or connections to EdgeRouters that may be acting as C2 servers.