MASEPIE Malware. Because One Malware Isn't Enough

In ‎December‏ ‎2023, ‎APT28 ‎actors ‎developed ‎MASEPIE,‏ ‎a ‎small‏ ‎Python‏ ‎backdoor ‎capable ‎of‏ ‎executing ‎arbitrary‏ ‎commands ‎on ‎victim ‎machines.‏ ‎An‏ ‎FBI ‎investigation‏ ‎revealed ‎that‏ ‎on ‎more ‎than ‎one ‎occasion,‏ ‎APT28‏ ‎used ‎compromised‏ ‎Ubiquiti ‎EdgeRouters‏ ‎as ‎command-and-control ‎(C2) ‎infrastructure ‎for‏ ‎MASEPIE‏ ‎backdoors‏ ‎deployed ‎against‏ ‎targets.

Command-and-Control ‎Infrastructure

While‏ ‎APT28 ‎does‏ ‎not‏ ‎deploy ‎MASEPIE‏ ‎on ‎EdgeRouters ‎themselves, ‎the ‎compromised‏ ‎routers ‎have‏ ‎been‏ ‎used ‎as ‎C2‏ ‎infrastructure ‎to‏ ‎communicate ‎with ‎and ‎control‏ ‎MASEPIE‏ ‎backdoors ‎installed‏ ‎on ‎systems‏ ‎belonging ‎to ‎targeted ‎individuals ‎and‏ ‎organizations.

The‏ ‎data ‎sent‏ ‎to ‎and‏ ‎from ‎the ‎EdgeRouters ‎acting ‎as‏ ‎C2‏ ‎servers‏ ‎was ‎encrypted‏ ‎using ‎a‏ ‎randomly ‎generated‏ ‎16-character‏ ‎AES ‎key,‏ ‎making ‎it ‎more ‎difficult ‎to‏ ‎detect ‎and‏ ‎analyze‏ ‎the ‎malicious ‎traffic.

MASEPIE‏ ‎Backdoor ‎Functionality

MASEPIE‏ ‎is ‎a ‎Python-based ‎backdoor‏ ‎that‏ ‎allows ‎APT28‏ ‎actors ‎to‏ ‎execute ‎arbitrary ‎commands ‎on ‎the‏ ‎infected‏ ‎systems. ‎This‏ ‎backdoor ‎provides‏ ‎the ‎threat ‎actors ‎with ‎a‏ ‎persistent‏ ‎foothold‏ ‎and ‎remote‏ ‎control ‎capabilities,‏ ‎enabling ‎them‏ ‎to‏ ‎carry ‎out‏ ‎various ‎malicious ‎activities, ‎such ‎as:

Data‏ ‎exfiltration

📌 Lateral ‎movement‏ ‎within‏ ‎the ‎compromised ‎network

📌 Deployment‏ ‎of ‎additional‏ ‎malware ‎or ‎tools

📌 Execution ‎of‏ ‎reconnaissance‏ ‎and ‎intelligence-gathering‏ ‎commands

Mitigation ‎and‏ ‎Investigation

To ‎mitigate ‎the ‎risk ‎of‏ ‎MASEPIE‏ ‎backdoors ‎and‏ ‎the ‎use‏ ‎of ‎compromised ‎EdgeRouters ‎as ‎C2‏ ‎infrastructure,‏ ‎network‏ ‎defenders ‎and‏ ‎users ‎should‏ ‎take ‎the‏ ‎following‏ ‎steps:

📌 Implement ‎endpoint‏ ‎protection: ‎Deploy ‎advanced ‎endpoint ‎protection‏ ‎solutions ‎capable‏ ‎of‏ ‎detecting ‎and ‎preventing‏ ‎the ‎execution‏ ‎of ‎MASEPIE ‎and ‎other‏ ‎malicious‏ ‎Python ‎scripts‏ ‎or ‎backdoors.

📌 Monitor‏ ‎network ‎traffic: Closely ‎monitor ‎network ‎traffic‏ ‎for‏ ‎any ‎suspicious‏ ‎encrypted ‎communications‏ ‎or ‎connections ‎to ‎known ‎APT28‏ ‎infrastructure,‏ ‎including‏ ‎compromised ‎EdgeRouters.

📌 Analyze‏ ‎network ‎logs:‏ ‎Review ‎network‏ ‎logs‏ ‎for ‎any‏ ‎indications ‎of ‎encrypted ‎communications ‎or‏ ‎connections ‎to‏ ‎EdgeRouters‏ ‎that ‎may ‎be‏ ‎acting ‎as‏ ‎C2 ‎servers.