The Windows malware on Ukraine CERT's radar

Government agencies impersonated, fake antivirus, another wiper, backdoors


As Ukraine fights for survival against invading Russian forces, here's a taste of some of the malware the nation's Computer Emergency Response Team (CERT) is battling.

To start, the team earlier this month said miscreants had spammed out emails impersonating government agencies containing links to fake Windows antivirus updates. When these were downloaded and run by a victim, more malware was brought onto the machine, including Cobalt Strike Beacon, which can take over the PC with PowerShell scripts, log keystrokes, take screenshots, exfiltrate files, run other malicious code, attempt to traverse the network, and so on. Beacon is a legit tool developed by HelpSystems mainly for red-team professionals.

According to Ukraine's CERT, the emails appeared to come from Ukrainian government agencies, and outlined ways to improve network security. They also told the recipient to download critical security updates in the form of a 60MB executable file dubbed BitdefenderWindowsUpdatePackage.exe. The actual antivirus maker Bitdefender has, to be clear, nothing to do with this.

The download was hosted by a .fr website that we understand has been taken offline. That site was designed to convince visitors that the executable was legit. Infosec outfit MalwareHunterTeam said it found what it believed to be the command-and-control server used to direct systems infected during this campaign. The domain name used to reach the server was, we're told, later disabled by its registrar Namecheap following the filing of an abuse report.

If the victim downloaded and ran the fake antivirus update, they would see a screen that told them to install a Windows Update package. Rather than upgrade the operating system, though, the code would fetch and run additional binaries from Discord. These would eventually run Cobalt Strike Beacon on the PC.

One of those binaries would also base64-decode a payload, save it to disk, and run it. That program would update the Windows Registry to achieve persistence on the computer, and then download, base64-decode, and run two pieces of malware: GraphSteel and GrimPlant. Both are written in Go, and both open a backdoor to the PC, allowing it to be commandeered from afar.

Ukraine's CERT has previously warned of attempts to spread the credential-stealing Formbook, aka XLoader, Windows malware within the nation's state organizations as well as the distribution of the MicroBackdoor Windows software nasty.

The nation's CERT blamed the fake antivirus updates on UAC-0056, aka TA471 or SaintBear, a pro-Russian crew that has targeted Georgia and Ukraine in the past. The MicroBackdoor campaign was blamed on UAC-0051, aka UNC1151, a Belarus-linked gang. The XLoader activity was not attributed to any group we can recognize.

Speaking of Russia... According to the FBI and the US government's Cybersecurity and Infrastructure Security Agency on Tuesday, Kremlin-backed spies broke into an NGO by brute-forcing an inactive user's weak credentials, enrolling a device for multi-factor authentication, and exploiting PrintNightmare (CVE-2021-34527) to obtain admin privileges to compromise the organization's IT. The intrusion is said to have happened as early as May last year.

Not only ensure you've patched or mitigated PrintNightmare in your Windows fleet, but also make sure dormant accounts, or those with weak creds, cannot be reactivated and re-enrolled without higher authorization.

Meanwhile, ESET this week warned another data-deleting Windows malware strain is being used against Ukrainian organizations. This software nasty, dubbed CaddyWiper, is the third such destructive wiper deployed in Ukraine since or around the invasion began, the infosec biz reckoned.

The ESET researchers said they detected CaddyWiper on a "few dozen systems in a limited number of organizations." It was compiled the same day it was used against networks. Interestingly, CaddyWiper doesn't have significant code similarity with two other data-destroying programs seen lately – HermeticWiper and IsaacWiper – and it doesn't erase information on domain controllers.

"This is probably a way for the attackers to keep their access inside the organization while still disturbing operations," ESET noted. CaddyWiper spreads through Microsoft Group Policy Objects, similar to how HermeticWiper spread, indicating its overlords already have control of a victim's network beforehand.

See the above advisories from Ukraine's CERT for details of files and domain names to block to keep out similar attacks. ®

Narrower topics


Other stories you might like

  • Carnival Cruises torpedoed by US states, agrees to pay $6m after wave of cyberattacks
    Now those are some phishing boats

    Carnival Cruise Lines will cough up more than $6 million to end two separate lawsuits filed by 46 states in the US after sensitive, personal information on customers and employees was accessed in a string of cyberattacks.

    A couple of years ago, as the coronavirus pandemic was taking hold, the Miami-based biz revealed intruders had not only encrypted some of its data but also downloaded a collection of names and addresses; Social Security info, driver's license, and passport numbers; and health and payment information of thousands of people in almost every American state.

    It all started to go wrong more than a year prior, as the cruise line became aware of suspicious activity in May 2019. This apparently wasn't disclosed until 10 months later, in March 2020.

    Continue reading
  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Behold this drone-dropping rifle with two-mile range
    Confuses rather than destroys unmanned aerials to better bring back intel, says Ukrainian designer

    What's said to be a Ukrainian-made long-range anti-drone rifle is one of the latest weapons to emerge from Russia's ongoing invasion of its neighbor.

    The Antidron KVS G-6 is manufactured by Kvertus Technology, in the western Ukraine region of Ivano-Frankivsk, whose capital of the same name has twice been subjected to Russian bombings during the war. Like other drone-dropping equipment, we're told it uses radio signals to interrupt control, remotely disabling them, and it reportedly has an impressive 3.5 km (2.17 miles) range.

    "We are not damaging the drone. With communication lost, it just loses coordination and doesn't know where to go. The drone lands where it is jammed, or can be carried away by the wind because it's uncontrollable,"  Kvertus' director of technology Yaroslav Filimonov said. Because the downed drones are unharmed, they give Ukrainian soldiers recovering them a wealth of potential intelligence, he added.  

    Continue reading

Biting the hand that feeds IT © 1998–2022