US Cyber Command spots another 20 malware strains targeting Ukraine
Plus Mandiant, Cisco Talos uncover digital espionage
US Cyber Command has disclosed 20 new strains of malware among the numerous software nasties and cyberattacks being used against Ukrainian targets over the last few months.
In an alert this week, the Pentagon's cyberspace wing made public indicators of compromise (IOC) associated with various malware strains that were found in Ukrainian networks by the country's security service.
"Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them," US Cyber Command said in a statement on Wednesday.
The Feds' alert comes as multiple private security researchers this week issued their own threat research related to the Russian invasion.
Threat intel firm Mandiant, which is being acquired by Google, published research detailing network intrusion attempts by cyberespionage gangs connected to the Belarusian government and the Kremlin.
These campaigns targeted Ukrainian organizations in February and March, and used phony public safety documents as lures to get intended victims to open spear phishing attachments.
Meanwhile, we're also told that Cisco Talos' security researchers in March discovered a "fairly uncommon" type of malware targeting a "large software development company" whose software is used by several Ukrainian state organizations.
Talos believes Russian state-sponsored criminals are behind this campaign, which uses a modified version of the GoMet open-source backdoor to gain persistent access to the software firm's networks.
Evacuation lures used as phish bait
Mandiant's latest research on state-sponsored cyberspies provides threat intel on two criminal groups, the first of which it tracks as UNC1151, and links to the Belarusian government, but with the caveat: "We cannot rule out Russian contributions to either UNC1151 or Ghostwriter activities." This gang also provides technical support to the pro-Russian Ghostwriter group for its information operations campaigns.
Since the war began, UNC1151 has targeted Ukrainian and Polish organizations, and its most recent attempts use a modified version of MicroBackdoor and a lure that translates to: "What to do? During artillery shelling by volley fire systems" to spy on victims in Ukraine.
MicroBackdoor is a client backdoor that's available on GitHub. Mandiant notes that the criminals are using a modified version, which allows them to take screenshots of the victims' devices — this functionality does not exist in the GitHub version.
Using a compromised Ukrainian account, UNC1151 sent out these phishing emails with a ZIP file attached that contained the malicious payload. After tricking victims into opening the file, the victim's computer downloads the backdoor malware, which can upload and download files, execute commands, update itself, and take screenshots. MicroBackdoor also supports HTTP, Socks4 and Socks5 proxies to route traffic.
- Google: Kremlin-backed goons spread Android malware disguised as pro-Ukraine app
- Security vendor splits – not quits – to address Russia's invasion of Ukraine
- Near-undetectable malware linked to Russia's Cozy Bear
- Cisco quits Moscow
Mandiant's research also details a second espionage group, UNC2589, that the security firm believes "to act in support of Russian government" interests and now blamed for the WhisperGate data wiper attacks in January (this data wiping malware has also been linked to Ghostwriter and/or another Russian- or Belarusian-government back gang of miscreants. Suffice to say it's a pro-Kremlin group).
"We believe UNC2589 acts in support of Russian government goals, but have not uncovered evidence to link it conclusively," according to Mandiant.
"Though we track UNC2589 as a cluster of cyber espionage activity, we have attributed the January 14 destructive attack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589," the report said. "We believe UNC2589 may be capable of engaging in disruptive or destructive cyber operations in the future."
Most recently, Mandiant's team discovered a malicious phishing email using an evacuation plan-themed lured and packed with self-extracting (SFX) archives that runs and installs an Arabic version of Remote Utilities software.
Once it's running on the victim's device, UNC2589 uses the code to download and upload files to a command-and-control (C2) servers, establish persistence through a startup service, and remotely execute malware. On March 27, Mandiant said it uncovered this suspected UNC2589 campaign dropping Grimplant and Graphsteel malware on targeted Ukrainian entities' devices.
Grimplant, a backdoor written in GO, conducts a system survey that it then uploads to the C2 server and can remotely execute commands on the victim's device. It communicates with the C2 server over Google RPC using TLS.
Meanwhile Graphsteel steals data including browser credentials, enumerates drives D to Z, and uploads files to the C2 server. It also attempts to collect mail data from Mozilla Thunderbird.
Novel backdoor targets software development firm
Cisco Talos also uncovered modified malware being used against Ukrainian organizations, specifically a large software company whose products are used by state agencies in the country.
This campaign used a modified version of the open-source GoMet backdoor, and the security researchers believe it originated from a Russian state-sponsored group — or at least Kremlin sympathizers.
"As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor's intent was to gain access to source a supply chain-style attack, though at this time we do not have any evidence that they were successful," the report said.
Talos detected the miscreants using a fake Windows update, created by the GotMet dropper, and a "somewhat novel approach to persistence," according to security researchers.
"It enumerated the autorun values and, instead of creating a new one, replaced one of the existing goodware autorun executables with the malware," Talos explained. "This potentially could avoid detection or hinder forensic analysis."
The malware has a hardcoded C2 IP actress, and it communicates with the C2 server via HTTPS on the default port.
Additionally, the self-signed certificate on this server was issued April 4, 2021, which Talos noted indicates that preparation for this cyber campaign began as early as last year. ®