Threat Research

Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities

Securonix

Execution

Upon execution of Base-Update.exe, it proceeds to download, Base64-decode, and execute another time stomped downloader written in Go from http://194.31.98.124:443/i with the arguments –a 0CyCcrhI/6B5wKE8XLOd+w==:

  • %TEMP%java-sdk.exe (MD5: 36ff9ec87c458d6d76b2afbd5120dfae)
    • Downloader written in Go
    • Base64 encoded – MD5: 2f14b3d5ab01568e2707925783f8eafe
    • Compile time: 1970-01-01 00:00:00
    • C&C: 194.31.98.124:443

Java-sdk.exe sets persistence for itself via setting a Run registry key. It then proceeds to download, decode, and execute two additional Base64-encoded files, GRIMPLANT and GRAPHSTEEL.

  • oracle-java.exe (MD5: 4a5de4784a6005aa8a19fb0889f1947a)
    • GRIMPLANT backdoor
    • Base64-encoded – MD5: 2a843511cdb8f5604cb3fafe244ef5f2
    • Compile time: 1970-01-01 00:00:00
    • C&C: http://194.31.98.124:80
  • microsoft-cortana.exe (MD5: 6b413beb61e46241481f556bb5cdb69c)
    • GRAPHSTEEL infostealer
    • Base64-encoded – MD5: a0c4ddf9c6f95d7046be8a2e0f875935
    • Compile time: 2022-03-20 14:24:42
    • C&C: ws://194.31.98.124:443/c

GRIMPLANT Execution

Upon execution of GRIMPLANT, it reads its configured C&C from the command line. The configured C&C is Base64-encoded and AESCTS-encrypted and results in GRIMPLANT communicating to 194.31.98.124.

GRIMPLANT conducts a basic system survey, querying the following:

  • Computer name
  • Username
  • Home directory
  • IP address (via Ipify API)
  • Hostname
  • OS
  • Number of CPUs

GRIMPLANT then uploads the system survey to the C&C. Note that GRIMPLANT communicates with the C&C over Google RPC using TLS. GRIMPLANT handles PowerShell commands it receives from the C&C, sending the result of the command back to the C&C. Unlike GRAPHSTEEL, GRIMPLANT does not use an added layer of encryption to its C&C communications.

GRAPHSTEEL Execution

Upon execution of GRAPHSTEEL, it conducts a system survey of the host and user information and reaches out to the ipify API to determine the IP address. It then AESCTS encrypts and uploads the surveyed victim information to the C&C. When it gets a response from the C&C, GRAPHSTEEL proceeds to harvest browser credentials, including:

  • Chrome
  • Internet Explorer
  • FireFox
  • Thunderbird

GRAPHSTEEL also attempts to collect mail data from Mozilla Thunderbird, extract data from Filezilla, find unprotected SSH keys on the target machine, query Putty to access the public key, and read any MobaXterm config.

After collecting this information, it encrypts and uploads the information to the C&C. GRAPHSTEEL then enumerates drives D-Z and the files within each drive. GRAPHSTEEL reads the content of each unique file and uploads those to the C&C.

Note: the GRAPHSTEEL project also does not have symbols stripped and the main Go package is called “elephant.”

Persistence Method

The malware maintains its persistence on the victim’s system by setting the following Run registry key:

Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunjava-sdk

Value: %TEMP%java-sdk.exe -a

Related Samples

This activity is related to activity previously reported on by UA CERT on a campaign leveraging GRIMPLANT and GRAPHSTEEL malware. Notably, the two campaigns share malware overlaps and filename overlaps, but lack infrastructure overlaps. In addition, unlike other UNC2589 campaigns including the one reported on by UA CERT, this new operation does not use Discord to host malware.

  • Instruction on anti-virus protection.doc (MD5: ca9290709843584aecbd6564fb978bd6)
    • Lure document
    • C&C: https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe
  • User guide.doc (MD5: cf204319f7397a6a31ecf76c9531a549)
    • Lure document
    • C&C: https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe
  • bitdefenderwindowsupdatepackage.exe (MD5: b8b7a10dcc0dad157191620b5d4e5312)
    • Dropper for alt.exe
    • Downloaded from https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe
  • alt.exe (MD5: 2fdf9f3a25e039a41e743e19550d4040)
    • Themida packed downloader
    • C&Cs:
      • https://cdn.discordapp.com/attachments/947916997713358890/949948174636830761/one.exe
      • https://cdn.discordapp.com/attachments/947916997713358890/949948174838165524/dropper.exe
  • one.exe (MD5: aa5e8268e741346c76ebfd1f27941a14)
    • Downloader and BEACON loader
    • Downloads wisw.exe from https://forkscenter.fr/Sdghrt_umrj6/wisw.exe
    • BEACON Shellcode MD5: e56555162c559a55021b879147b0791f
      • C&Cs:
        • https://nirsoft.me/nEDFzTtoCbUfp9BtSZlaq6ql8v6yYb/avp/amznussraps/
        • https://nirsoft.me/s/2MYmbwpSJLZRAtXRgNTAUjJSH6SSoicLPIrQl/field-keywords/
  • wisw.exe (MD5: 9ad4a2dfd4cb49ef55f2acd320659b83)
    • Themida packed downloader
    • Downloaded from https://forkscenter.fr/Sdghrt_umrj6/wisw.exe
    • C&C: https://cdn.discordapp.com/attachments/947916997713358890/949978571680673802/cesdf.exe
  • dropper.exe (MD5: 15c525b74b7251cfa1f7c471975f3f95)
    • Go downloader
    • C&C: https://45.84.0.116/i
  • java-sdk.exe (MD5: c8bf238641621212901517570e96fae7)
    • Go downloader
    • Downloaded as Base64 encoded text from https://45.84.0.116/i
    • C&Cs:
      • http://45.84.0.116:443/m
      • http://45.84.0.116:443/p
  • oracle-java.exe (MD5: 4f11abdb96be36e3806bada5b8b2b8f8)
    • GRIMPLANT malware
    • Downloaded as Base64 encoded text from http://45.84.0.116:443/m
  • microsoft-cortana.exe (MD5: 9ea3aaaeb15a074cd617ee1dfdda2c26)
    • GRAPHSTEEL malware

Downloaded as Base64 encoded text from http://45.84.0.116:443/p

UNC1151 Operations

Actor Overview

UNC1151 is a cluster of cyber espionage activity which has links to the Belarusian government. (Please see our previously published blog on UNC1151 for additional details). UNC1151 also provides technical support to the Ghostwriter information operations campaign. Though we cannot rule out Russian contributions to either UNC1151 or Ghostwriter activities, we have not yet identified evidence of any collaboration between Russian APTs and UNC1151.

UNC1151 primarily targets government and media entities focusing on Ukraine, Lithuania, Latvia, Poland, and Germany. UNC1151 has been active in targeting primarily Ukraine and Poland since the Russian invasion of Ukraine in February.

Malware Overview

BEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor commands include shell command execution, file transfer, file execution, and file management. BEACON can also capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with harvesting system credentials, port scanning, and enumerating systems on a network. BEACON communicates with a C&C server via HTTP or DNS.

MICROBACKDOOR is a client backdoor and server-side tool which has been available on GitHub since May 2021. MICROBACKDOOR was developed by ‘Cr4sh’ (aka. Dmytro Oleksiuk), who has also developed other notable malware used by Russian APTs including BlackEnergy. MICROBACKDOOR can upload and download files, execute commands, update itself, and take screenshots. It also supports HTTP, Socks4 and Socks5 proxies to route traffic.

Note: the version of MICROBACKDOOR used by UNC1151 in this report has been modified by the actor to include a screenshot functionality. Screenshot functionality is not present in the version of MICROBACKDOOR available on Github.

UNC1151 Uses Sheltering-Themed Lures

Infection Vector

In early March 2022, Mandiant Threat Intelligence discovered new activity targeting Ukrainian entities using MICROBACKDOOR and a lure titled “що робити? пiд час артилерiйских обстрiлiв системами залповова вогню” (Translation: “What to do? During artillery shelling by volley fire systems”). MICROBACKDOOR is a client backdoor and server side (command and control) tool which has been available on GitHub since May 2021 and developed by ‘Cr4sh’ (aka Dmytro Oleksiuk).

To deliver the payload, the actor used a ZIP containing a CHM-file.

  • довідка.zip (MD5: e34d6387d3ab063b0d926ac1fca8c4c4)
    • Translation: Certificate.zip
  • dovidka.chm (MD5: 2556a9e1d5e9874171f51620e5c5e09a)
    • Contains obfuscated VBS

Execution

If the desktop.ini does not exist in the path C:UsersPublicFavoritesdesktop.ini (indicating that the backdoor is not yet installed), the VBS code within dovidka.chm drops the decoded next payload to C:UsersPublicignit.vbs. The code then creates the folder C:UsersPublicFavorites and executes C:UsersPublicignit.vbs.

  • C:UsersPublicignit.vbs (MD5: bd65d0d59f6127b28f0af8a7f2619588)
    • Malicious VBS launcher

Source: https://www.mandiant.com/resources/spear-phish-ukrainian-entities

Tags: BACKDOOR, GOVERNMENT, PERSISTENCE, DNS, PROXY, VIRUS, BROWSER, TOOL