Making Credential Theft Easier Since... Always

APT28 ‎actors‏ ‎have ‎been ‎hosting ‎custom ‎Python‏ ‎scripts ‎on‏ ‎compromised‏ ‎Ubiquiti ‎EdgeRouters ‎to‏ ‎collect ‎and‏ ‎validate ‎stolen ‎webmail ‎account‏ ‎credentials.‏ ‎These ‎scripts‏ ‎are ‎typically‏ ‎stored ‎alongside ‎related ‎log ‎files‏ ‎in‏ ‎the ‎home‏ ‎directory ‎of‏ ‎a ‎compromised ‎user, ‎such ‎as:

/home/<compromised‏ ‎user>/srv/http://core.py

/home/<compromised‏ ‎user>/srv/debug.txt

The‏ ‎FBI ‎claims‏ ‎that ‎they‏ ‎have ‎recovered‏ ‎verbose‏ ‎log ‎files‏ ‎containing ‎information ‎about ‎APT28 ‎activity‏ ‎on ‎the‏ ‎compromised‏ ‎EdgeRouters.

Custom ‎Python ‎Scripts

📌 The‏ ‎custom ‎Python‏ ‎scripts ‎hosted ‎on ‎the‏ ‎compromised‏ ‎EdgeRouters ‎serve‏ ‎the ‎purpose‏ ‎of ‎collecting ‎and ‎validating ‎stolen‏ ‎webmail‏ ‎account ‎credentials.‏ ‎APT28 ‎actors‏ ‎use ‎these ‎scripts ‎as ‎part‏ ‎of‏ ‎their‏ ‎credential ‎harvesting‏ ‎operations, ‎targeting‏ ‎specific ‎webmail‏ ‎users.

📌 The‏ ‎scripts ‎are‏ ‎designed ‎to ‎automatically ‎break ‎captcha‏ ‎problems ‎on‏ ‎webmail‏ ‎login ‎pages, ‎allowing‏ ‎the ‎actors‏ ‎to ‎bypass ‎this ‎security‏ ‎measure‏ ‎and ‎gain‏ ‎unauthorized ‎access‏ ‎to ‎the ‎targeted ‎accounts. ‎To‏ ‎achieve‏ ‎this, ‎the‏ ‎scripts ‎make‏ ‎connections ‎to ‎the ‎API ‎endpoint‏ ‎api[.]anti-captcha[.]com,‏ ‎which‏ ‎is ‎used‏ ‎by ‎APT28‏ ‎actors ‎for‏ ‎captcha-solving‏ ‎purposes.

Yara ‎Rule‏ ‎for ‎Detection

📌 To ‎help ‎network ‎defenders‏ ‎locate ‎credential‏ ‎collection‏ ‎scripts ‎on ‎compromised‏ ‎EdgeRouters, ‎the‏ ‎FBI ‎has ‎created ‎a‏ ‎Yara‏ ‎rule. ‎Yara‏ ‎is ‎a‏ ‎tool ‎used ‎to ‎identify ‎and‏ ‎classify‏ ‎malware ‎based‏ ‎on ‎textual‏ ‎or ‎binary ‎patterns. ‎The ‎FBI-provided‏ ‎Yara‏ ‎rule‏ ‎can ‎be‏ ‎used ‎to‏ ‎scan ‎the‏ ‎file‏ ‎system ‎of‏ ‎EdgeRouters ‎and ‎detect ‎the ‎presence‏ ‎of ‎the‏ ‎custom‏ ‎Python ‎scripts ‎used‏ ‎by ‎APT28‏ ‎actors.

📌 In ‎addition ‎to ‎using‏ ‎the‏ ‎Yara ‎rule,‏ ‎network ‎defenders‏ ‎can ‎also ‎query ‎network ‎traffic‏ ‎for‏ ‎connections ‎to‏ ‎the ‎api[.]anti-captcha[.]com‏ ‎endpoint. ‎Detecting ‎traffic ‎to ‎this‏ ‎API‏ ‎can‏ ‎help ‎identify‏ ‎compromised ‎EdgeRouters‏ ‎and ‎potential‏ ‎credential‏ ‎harvesting ‎activities.

Mitigation‏ ‎and ‎Investigation

📌 Upon ‎detecting ‎the ‎presence‏ ‎of ‎custom‏ ‎Python‏ ‎scripts ‎or ‎connections‏ ‎to ‎the‏ ‎api[.]anti-captcha[.]com ‎endpoint, ‎network ‎defenders‏ ‎should‏ ‎take ‎immediate‏ ‎action ‎to‏ ‎mitigate ‎the ‎risk ‎and ‎investigate‏ ‎the‏ ‎extent ‎of‏ ‎the ‎compromise:

📌 Isolating‏ ‎the ‎affected ‎EdgeRouters ‎from ‎the‏ ‎network

📌 Performing‏ ‎a‏ ‎thorough ‎analysis‏ ‎of ‎the‏ ‎scripts ‎and‏ ‎log‏ ‎files ‎to‏ ‎understand ‎the ‎scope ‎of ‎the‏ ‎credential ‎harvesting‏ ‎activities

📌 Resetting‏ ‎passwords ‎for ‎potentially‏ ‎compromised ‎webmail‏ ‎accounts