Download the full collection

Summary:

Nodaria (UAC-0056) is targeting Ukraine with new information-stealing malware.   Infostealer.Graphiron malware steals system information, credentials, screenshots, and files from compromised computers.

 Graphiron is a two-stage threat consisting of a downloader (Downloader.Graphiron) and a payload (Infostealer.Graphiron).

The downloader hardcodes C&C server addresses. It checks a malware analysis tool blacklist when performed.

If no blacklisted processes are found, it will download, decrypt, and autorun the payload from a C&C server.  Graphiron uses AES with hardcoded keys. It generates.lock and.trash files. MicrosoftOfficeDashboard.exe and OfficeTemplate.exe are hardcoded file names.

GraphSteel and GrimPlant are comparable to Graphiron. Using PowerShell, GraphSteel exfiltrates files, system information, and password vault credentials. Graphiron can also exfiltrate screenshots and SSH keys.

Summary:

HermeticWiper:

APT responsible: Sandworm (Black Energy, UAC-0082)

Attacks reported: Massive cyberattacks against Ukrainian organizations on February 23, 2022

Disables the Volume Shadow Copy Service (VSS)

Abuses legitimate drivers to corrupt data and render recovery impossible

Targets Windows registry files ntuser.dat and Windows event logs

Triggers system restart rendering the targeted host inoperable

SHA256: 0385eeab00e946a302b24a91dea4187c1210597b8e17cd9e2230450f5ece21da

HermeticRansom:

APT responsible: Sandworm (Black Energy, UAC-0082)

Attacks reported: Cyberattacks against Ukrainian organizations on February 23, 2022

Written in Go language

Enumerates available drives and renames selected files

Encrypts file contents using AES algorithm

Creates a read_me.html file with a ransom note

SHA256: 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382

IsaacWiper:

APT responsible: Gamaredon (Primitive Bear, Armageddon)

Attacks reported: Cyberattacks against Ukrainian government organizations on February 24, 2022

Overwrites existing content with random bytes

Renames files it can't access and attempts to wipe newly renamed files

Creates a log file with corrupting activity progress

SHA256: 13037b749aa4b1eda538fda26d6ac41c8f7b1d02d83f47b0d187dd645154e033

AcidRain:

APT responsible: Unknown

Attacks reported: Cyberattacks against Viasat’s KA-SAT network and Enercon wind turbines on February 24, 2022

Overwrites files and symbolic links with random data from the memory buffer

Avoids certain directories if executed with root permissions

Triggers a device reboot after wiping

SHA256: 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a

LoadEdge (InvisiMole):

APT responsible: InvisiMole (UAC-0035)

Attacks reported: Email phishing attacks on Ukrainian government organizations on March 18, 2022

Supports functionalities such as file execution, upload, download, deletion, and obtaining system information

Communication with C&C uses HTTP and JSON formatted data

Persistence provided by HTA file creating an entry under the Run registry key

Resembles an upgraded version of InvisiMole's TCP downloader component

SHA256: fd72080eca622fa3d9573b43c86a770f7467f3354225118ab2634383bd7b42eb

GraphSteel & GrimPlant:

APT responsible: UNC2589 Ember Bear, Lorec53, UAC-0056

Attacks reported: Email phishing attacks on Ukrainian government organizations on March 11, March 28, and April 26, 2022

Both written in Go language

GrimPlant is a simple backdoor allowing for remote execution of PowerShell commands

GraphSteel exfiltrates data and steals credentials using

Summary:

UNC1151 is a group that is believed to be sponsored by Belarus and has frequently used the access and information gained by their intrusions to support information operations tracked as “Ghostwriter.”
UNC2589 is believed to act in support of Russian government interest and has been conducting extensive espionage collection in Ukraine.
UNC2589 uses spear phishing campaigns with various themes, including COVID-19 and the war in Ukraine, and has used a variety of different infrastructure.
Mandiant has attributed the January 14 destructive attack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589.
GRIMPLANT is a backdoor used by UNC2589 and GRAPHSTEEL is an infostealer.
Mandiant analyzed a malicious document with an evacuation plan-themed lure, which was likely used by UNC2589 to target Ukrainian entities in a phishing campaign in late February 2022.
The malware was delivered via phishing email and the Remote Utilities utility was installed upon execution.
Remote Utilities allows attackers to set persistence through creating a startup service.
Mandiant Intelligence discovered another likely UNC2589-related phishing campaign targeting Ukrainian entities with GRIMPLANT and GRAPHSTEEL malware on March 27, 2022.

The malware was delivered via phishing email and was dropped onto the victim machine through a macro in an XLS document.

Summary:

The malware appears to be designed to render targeted devices inoperable rather than to obtain a ransom, unlike typical ransomware attacks.

The malware has been identified on dozens of systems in Ukraine, including multiple government, non-profit, and information technology organizations.

MSTIC assesses that this activity represents an elevated risk to any organization located or with systems in Ukraine.

The malware operates in two stages: Stage 1 overwrites the Master Boot Record (MBR) with a ransom note, and Stage 2 is a file corrupter that overwrites files with a fixed number of 0xCC bytes.

Microsoft has implemented detections for this malware family as WhisperGate and is continuing its investigation.

MSTIC recommends organizations to investigate the provided indicators of compromise (IOCs), enable multifactor authentication, and enable Controlled Folder Access in Microsoft Defender for Endpoint to prevent MBR/VBR modification.

The detections in place across Microsoft security products include DoS:Win32/WhisperGate.A!dha, DoS:Win32/WhisperGate.C!.dha, DoS:Win32/WhisperGate.H!dha, and DoS:Win32/WhisperGate.X!dha.

Summary:

HermeticWiper: Malware that makes a system inoperable by corrupting its data. It disables the Volume Shadow Copy Service, wipes the MBR, MFT, and NTUSER files, and overwrites various folders with random bytes generated by CryptGenRandom.

HermeticWizard: Worm that spreads HermeticWiper across a local network via WMI and SMB. It is a DLL file that exports functions DllInstall, DllRegisterServer, and DllUnregisterServer. It gathers IP addresses on a network, and when it finds a reachable machine, drops HermeticWiper and executes it.

HermeticRansom: Ransomware written in Go that encrypts files and displays a ransom message to the victim.

Threat actors TTPs:

Initial access: Unknown for both HermeticWiper and IsaacWiper, although it is suspected that the attackers may have used tools such as Impacket to move laterally. HermeticWiper was deployed in at least one instance through the default domain policy (GPO), suggesting the attackers had prior access to the victim's Active Directory server.

Lateral movement: HermeticWizard worm was used to spread HermeticWiper across the compromised networks via SMB and WMI.

Persistence: HermeticWiper and HermeticWizard are signed by a code-signing certificate assigned to Hermetica Digital Ltd issued on April 13th, 2021, which was not stolen, but instead likely obtained by attackers impersonating the Cypriot company to get this certificate from DigiCert.

Malware delivery: HermeticWiper and HermeticWizard were deployed through various methods, including GPO and the use of Impacket tools. HermeticRansom was deployed through GPO in at least one instance.

Attribution: ESET researchers have not yet found any tangible connection with a known threat actor. The malware families do not share any significant code similarity with other samples in the ESET malware collection.

Summary:

The threat group UAC-0056 is targeting government organizations and companies involved with critical infrastructure in Ukraine and other countries. Their primary goal is to steal sensitive information for situational awareness and leverage in dealing with Ukraine.

The initial loader Trojan is used as a simple wrapper for the next few stages.

The packer used to pack and obfuscate the initial loader allows cloning .NET assemblies from other binaries and certificates.

The decrypted DLL, named SHCore2.dll, is obfuscated.

The stager contains anti-analysis functionality, including checks to refuse to execute inside a virtual machine or on bare metal systems.

The stager will decrypt and execute a total of four embedded binaries.

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT. It searches for files with specific extensions and uploads them to a hardcoded command and control server.

The Windows_defender_disable.bat is used to disable Windows Defender functionality.

The SaintBot .NET Loader is composed of several stages with varying levels of obfuscation.

The SaintBot Payload is capable of downloading further payloads and updating itself on disk.

The threat actors use different social engineering themes in their attacks, such as cryptocurrency, COVID, law enforcement, and fake resumes.

Email is used as the attack vector, and different infection chains are used to compromise systems.

The threat group has overlaps with previous attack campaigns focused on other organizations in Ukraine and Georgia, as well as other nations’ assets local to Ukraine.

The attackers used Discord’s content delivery network (CDN) to host the payload.

The threat group makes use of several hardcoded command and control (C2) servers, all reaching out to the same endpoint.

Summary:

 A new APT group named Lorec53 was identified by NSFOCUS Security Labs and confirmed by the Ukrainian Computer Emergency Response Center (UAC-0056).

Lorec53 is active in Eastern Europe and has been involved in large-scale cyber espionage attacks against Ukraine and Georgia.

The group has strong infiltration ability and flexible attack methods, using phishing attacks and social engineering techniques.

Lorec53 targets key state sectors such as the Ministry of Defense, Ministry of Finance, embassies, state-owned enterprises, and public medical facilities to collect personnel information.

The group has Russian-linked characteristics in attack tools, domain names, and asset location.

Victims of the Lorec53 group include the National Bank of Iran, Georgia’s Ministry of Epidemic Prevention and Health, Ukraine’s Ministry of Defense, Presidential Office, Ministry of the Interior, and Border Service.

A recent long wave of attacks from Lorec53 targeted a wide range of victims using baits such as Ukrainian government documents, shortcut files, and cpl files.

The group used 3 domain names (3237.site, stun.site, and eumr.site) as download servers for phishing files.

Lorec53 employed known Trojan programs including LorecDocStealer (OutSteel), LorecCPL, and SaintBot.

The first phishing attack in this wave used phishing documents referring to a presidential decree and the second attack used PDF and DOCX files with malicious macros.

The third attack used a phishing document in .zip format targeted at the Ukrainian medical system.

The main purpose of these attacks is still information gathering and the TTPs of the Lorec53 group are evident at each stage.

Summary:

Threat Campaign: Spear-phishing emails with malicious attachments used to steal files from victims' machine.

Malware: Infostealer "OutSteel" that uploads stolen files to a Command and Control server. Downloader used to load OutSteel is the BabaDeda crypter.

Threat Actor: State-sponsored group "Lorec53" (as named by NSFocus), suspected of being employed by high-level espionage organizations to target government employees in Georgia and Ukraine.

TTPs:

BabaDeda Crypter is an evasive malware that acts as an installer and executes a shellcode stored encrypted in a file (xml or pdf).

The first stage of the attack is downloading the BabaDeda crypter from a malicious LNK file or WORD template document.

The BabaDeda crypter first loads and runs a malicious DLL, which then loads and executes another malicious DLL in another thread.

The first DLL reads and parses the shellcode and writes it in the main binary's text section.

The decrypted shellcode extracts the loader shellcode and the payload, then decrypts them and transfers execution to the decrypted loader shellcode.

The final payload is OutSteel, which exfiltrates stolen documents to a specified URL.

The second malicious library is a mere downloader that downloads the next stage of the attack.

BabaDeda Crypter

LorecCPL downloaders

Outsteel Infostealer

TTPs (Tactics, Techniques, and Procedures):

Persistence achieved by creating a link file in the start-up directory using the IShellLinkW interface

Payload execution after decryption

Self-deletion routine

File size checking before execution

Downloading and running the next stage in a new process

Code overlap with WhisperGate malware

Hosting the archive on Discord

Using CPL files to trick uneducated users into executing the malware

Using xor decryption to hide the real code

Putting arguments on the stack and using them in functions

Downloading the final payload from a URL

Packing the final payload with ASProtect

Exfiltrating documents to a C2 server

2022-02-08 NSFocus - Apt Retrospection: Lorec53, An Active Russian Hack Group Launched Phishing Attacks Against Georgian Government 
PDF: https://contagio.deependresearch.org/read/Ember_Bear_2022_APT_Retrospection__Lorec53%2C_An_Active_Russian_Hack_Group_Launched_Phishing_Attacks_Against_Georgian_Government.pdf

Summary:

In July 2021, a phishing campaign was discovered targeting Georgian government officials and using current political issues to create bait for specific victims.

The campaign utilized phishing documents named "828-ში ცვლილება.doc" and "დევნილთა 2021-2022 წლების სტრატეგიის სამოქმედო გეგმა.doc" to lure victims into enabling the editing feature of Office and executing malicious macros.

The malicious macros created a C# Dropper Trojan that downloaded and executed an AutoIt executable doc, a customized Trojan designed to steal various document-typed files from the victim's computer.

The attacker, tentatively named Lorec53, has been linked to a similar phishing campaign against the Ukrainian government in April 2021.

The attacker is believed to be a Russian hacking group that uses known generation tools to build the attack process and has a bias toward espionage operations.

The attacker controls a large amount of attack resources in the Russian network domain and has been found to conduct long-term vulnerability scanning activities.

Summary:

WhisperGate MBR payload: Tampering with the Master Boot Record (MBR) to render the system inoperable. The ransomware note is stored in a buffer that is written over the MBR.

Discord downloader and injector: After gaining a foothold, the stage 2 binary downloads and launches a payload via Discord, which then launches a number of events such as adding Windows Defender exclusion, stopping Windows Defender, and deleting the Windows Defender directory.

File corruptor: The file corruptor payload is loaded in memory via process hollowing and targets any local hard drives, attached USB drives, or mounted network shares. The file corruptor scans directories for files matching specific extensions, overwrites the start of each file with 1MB of static data, renames each file with a randomized extension, and deletes itself.

 

Summary:

The DEV-0586 APT group targeted Ukrainian organizations with WhisperGate wiper malware.

WhisperGate is a two-stage wiper malware that masquerades as ransomware. The initial access stage is unknown, but it is suspected to be a supply chain attack.

In its first stage, WhisperGate overwrites the Master Boot Record (MBR) with a fake ransom note, making the infected system unable to boot up.

In its second stage, WhisperGate corrupts files with certain extensions by overwriting them and renaming them with a random four-byte extension.

DEV-0586 uses the following TTPs in their WhisperGate campaign:

Execution: The first stage uses Windows Command Shell and the second stage uses PowerShell to connect to its Command and Control server.

Defense Evasion & Persistence: WhisperGate modifies the MBR to evade defense and deliver its payload in Base64 encoding.

Discovery: The second stage searches for specific file extensions in certain directories.

Command and Control: The second stage downloads file corruptor payload from a Discord channel hosted by the APT group.

Impact: WhisperGate overwrites the MBR and files, affecting their integrity.

Summary:

The Elephant malware is a threat group associated with pro-Russian cyber attacks, primarily focused on cyber espionage with a focus on key state sectors in Ukraine. The group, also known as UAC-0056, Lorec53, UNC2589, EmberBear, LorecBear, BleedingBear, SaintBear, and TA471, has been active since at least March 2021. The malware is part of the Elephant Framework, a collection of tools written in the Go language and deployed in recent phishing attacks on .gov.ua targets.

The Elephant Framework uses the spear-phishing tactic for initial compromise, with emails originating from spoofed Ukrainian email addresses and using social engineering techniques. The launcher component, written in Go language or Python, downloads the malware payload and establishes persistence. The downloader component, Java-sdk.exe, also written in Go, is responsible for downloading the Elephant Framework, which includes two components: GrimPlant, a backdoor that allows remote execution of PowerShell commands, and GraphSteel, a stealer used for data exfiltration of credentials, certificates, passwords, and other sensitive information.

GraphSteel exfiltrates information using WebSockets and the GraphQL query language, with all communication encrypted using the AES cipher. The malware runs a heartbeat routine every 20 seconds and an exfiltration routine every 20 minutes, exfiltrating files from designated folders and harvests credentials from various sources.

In one reported phishing campaign, the malware deployed a parallel deployment of Cobalt Strike Beacon, which downloads another executable from Discord. The C&C server used by the Elephant Framework is different from the one used by the Cobalt Strike Beacon.

2021-04-06 Malwarebytes - A deep dive into Saint Bot, a new downloader
PDF: http://contagio.deependresearch.org/read/Nodaria_2022_A_deep_dive_into_Saint_Bot%2C_a_new_downloader.pdf

Summary:

In March 2021, Malwarebytes analysts discovered a phishing email that contained a zip file with unfamiliar malware.

The malware was a PowerShell script disguised as a link to a Bitcoin wallet, which led to the download of a lesser-known malware called Saint Bot. Saint Bot is a downloader that can be used to distribute various types of malware and is being actively developed.
The malware is distributed through phishing emails with a zip attachment that lures victims with the promise of accessing a Bitcoin wallet.

The malware employs a variety of techniques, including obfuscation and anti-analysis techniques, process injection, and command and control infrastructure and communication.
The initial malware is a .NET downloader that carries another .NET binary in its resources.

The second .NET binary is responsible for downloading and deploying two executables, one that disables Windows Defender and another that is the main payload. The main payload is heavily obfuscated and sets up persistence by installing itself in the startup directory and creating a new 

The content sent to/from the C2 is obfuscated using an algorithm that is different from the one used to obfuscate internal strings.

2021-11 NSFocus - 2021 Analysis Report on Lorec53 Group 
PDF: https://s3.amazonaws.com/contagio.deependresearch.org/read/EmberBear+_2021_-Lorec53-Group+(1).pdf

Summary:

A new APT group called Lorec53 has been identified by NSFOCUS Security Labs, targeting Eastern European countries like Ukraine and Georgia with espionage attacks against government workers.

Lorec53 uses a variety of social engineering techniques, such as phishing attacks, watering hole sites, and lnk script execution, along with temporary domain names like .site, .space, .xyz, and others.

The group has acted like a mercenary hacker group by using the attack methods and network facilities of other hacker groups to launch unique downloaders and spy Trojan programs.

Lorec53's attack payloads include Trojan horse programs like LorecCPL and LorecDocStealer, which have not been seen in other spying activities.

The group prefers to use attack resources from Russia, such as servers owned by Russian service providers and registrants and Trojan horse programs from Russian hacker forums or black markets.

The group's phishing attacks involve fake documents with malicious macros that download and run the LorecDocStealer Trojan, and fake download pages disguised as Adobe Acrobat DC readers, among others.

Lorec53 has also used fake websites, including a fake website for the President of Ukraine, to lure people in and send them malware.

The group is suspected to have been behind a phishing campaign that targeted Iran's Android app, using watering hole sites and an Android Trojan called Pardakht to steal SMS messages from Iranian cell phone users.