Sandworm Apt Targets Ukrainian Users With Trojanized Microsoft Kms Activation Tools In Cyber Espionage Campaigns
Thumbnail
Sandworm, a threat actor linked to Russia’s GRU, has been conducting cyber espionage against Ukrainian Windows users by exploiting pirated software to distribute malware, notably the BACKORDER loader and Dark Crystal RAT. This activity has been ongoing since late 2023, coinciding with the Russian invasion of Ukraine, and highlights the vulnerabilities created by the country’s high rates of software piracy. Affected: Ukraine, critical infrastructure, private sector

Keypoints :

  • Sandworm (APT44) is targeting Ukrainian Windows users through a cyber espionage campaign.
  • Utilizing trojanized Microsoft KMS activators and fake updates to deploy malware.
  • BACKORDER loader is used to install Dark Crystal RAT (DcRAT) for data exfiltration.
  • The reliance on unlicensed software in Ukraine creates a significant attack surface.
  • KMS activation tools disguised as legitimate software were uploaded to Torrent.
  • Multiple distinct malware distribution campaigns linked to this activity were identified.
  • The malware displays fake Windows activation interfaces and disables security measures.
  • Scheduled tasks are created to maintain access on infected systems.
  • Malware samples showed signs of Russian-language comments and debug symbols, indicating Russian origins.
  • Government and critical infrastructure entities in Ukraine are at risk of cyber threats.

MITRE Techniques :

  • T1204.002 – User Execution: Malicious File – Users execute trojanized KMS activators.
  • T1059.001 – Command and Scripting Interpreter: PowerShell – BACKORDER uses PowerShell to disable Windows Defender.
  • T1218.011 – Signed Binary Proxy Execution: Rundll32 – Malware exploits rundll32.exe to evade detection.
  • T1569.002 – System Services: Service Execution – Malware modifies system services for persistence.
  • T1053.005 – Scheduled Task/Job: Scheduled Task – Creates scheduled tasks for persistent access.
  • T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control – Elevates privileges for execution.
  • T1562.001 – Impair Defenses: Disable or Modify Tools – Disables Windows Defender to avoid detection.
  • T1070.004 – Indicator Removal on Host: File Deletion – Deletes installations and temporary files to erase traces.
  • T1005 – Data from Local System – DcRAT exfiltrates sensitive local data to C2 servers.
  • T1021.001 – Remote Services: Remote Desktop Protocol (RDP) – Uses RDP for potential unauthorized access.

Indicator of Compromise :

  • [Domain] kmsupdate2023[.]com
  • [Domain] activationsmicrosoft[.]com
  • [IPv4] 5.255.122[.]118
  • [SHA256] 48450c0a00b9d1ecce930eadbac27c3c80db73360bc099d3098c08567a59cdd3
  • [SHA256] 039c8dd066efa3dd7ac653689bfa07b2089ce4d8473c907547231c6dd2b136ec

Full Story: https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns