US Cyber Command identifies new strains of malware targeting Ukraine • The Register
US Cyber Command has unveiled 20 new malware strains among the many malware and cyberattacks used against Ukrainian targets over the past few months.
In an alert this week, the Pentagon’s cyberspace wing released indicators of compromise (IOCs) associated with various strains of malware that were found in Ukrainian networks by the country’s security service.
“Our Ukrainian partners actively share with us malicious activity they find to enhance collective cybersecurity, just as we share with them,” US Cyber Command said in a statement. statement Wednesday.
The alert from federal authorities comes as several private security researchers this week published their own research on threats related to the Russian invasion.
Threat intelligence firm Mandiant, which is being acquired by Google, has published research detailing network intrusion attempts by cyber espionage gangs linked to the Belarusian government and the Kremlin.
These campaigns targeted Ukrainian organizations in February and March and used fake public security documents as decoys to trick intended victims into opening spear-phishing attachments.
Meanwhile, we’re also told that Cisco Talos security researchers discovered a “rather rare” type of malware in March targeting a “large software development company” whose software is used by several Ukrainian state organizations.
Talos believes Russian state-sponsored criminals are behind the campaign, which uses a modified version of the GoMet open-source backdoor to gain permanent access to software company networks.
Evacuation lures used as phishing bait
Mandiant’s Last to research on state-sponsored cyber spies provides threat intelligence on two criminal groups, the first of which is identified as UNC1151, and connections to the Belarusian government, but with the caveat: “We cannot exclude Russian contributions to UNC1151 or Ghostwriter activities.” This gang also provides technical support to the pro-Russian group Ghostwriter for its information operations campaigns.
Since the start of the war, UNC1151 has targeted Ukrainian and Polish organizations, and its most recent attempts use a modified version of MicroBackdoor and a decoy that translates to: “What to do? During artillery bombardments by volley fire systems” to spy on victims in Ukraine.
MicroBackdoor is a client backdoor available at GitHub. Mandiant notes that criminals use a modified version, which allows them to take screenshots of victims’ devices — this functionality does not exist in the GitHub version.
Using a compromised Ukrainian account, UNC1151 sent these phishing emails with an attached ZIP file containing the malicious payload. After tricking victims into opening the file, the victim’s computer downloads the backdoor malware, which can upload and download files, execute commands, update itself, and take screenshots. MicroBackdoor also supports HTTP, Socks4 and Socks5 proxies to route traffic.
Mandiant’s research also details a second spy group, UNC2589, which the security firm says “acts in support of Russian government interests” and is now blamed for the WhisperGate data erasure attacks in January ( This data wiping malware has also been linked to Ghostwriter and/or another gang of miscreants backed by the Russian or Belarusian government (suffice it to say they are a pro-Kremlin group).
“We believe that UNC2589 acts in favor of Russian government objectives, but have not uncovered evidence to link it conclusively,” according to Mandiant.
“Although we are tracking UNC2589 as a group of cyber espionage activities, we attributed the January 14 destructive attack on Ukraine using PAYWIPE (WHISPERGATE) to UNC2589,” the report said. “We believe UNC2589 may be capable of engaging in disruptive or destructive cyber operations in the future.”
More recently, the Mandiant team discovered a malicious phishing email using an escape plan, decoyed and filled with self-extracting (SFX) archives that run and install an Arabic version of the Remote Utilities software.
Once running on the victim’s device, UNC2589 uses code to upload and download files to command and control (C2) servers, establish persistence through a boot service, and run remotely malware. On March 27, Mandiant said he discovered this alleged UNC2589 campaign dropping Grimplant and Graphsteel malware on devices of targeted Ukrainian entities.
Grimplant, a backdoor written in GO, performs a system survey which it then uploads to the C2 server and can remotely execute commands on the victim’s device. It communicates with the C2 server through Google RPC using TLS.
Meanwhile, Graphsteel steals data including browser credentials, enumerates drives D to Z and uploads files to C2 server. It also tries to collect email data from Mozilla Thunderbird.
New backdoor targets software development company
Also Cisco Talos discovered modified malware is being used against Ukrainian organizations, in particular a large software company whose products are used by state agencies in the country.
This campaign used a modified version of the open-source GoMet backdoor, and security researchers believe it came from a Russian state-sponsored group – or at least Kremlin sympathizers.
“As this company is involved in software development, we cannot ignore the possibility that the threat actor’s intent was to gain access to the source of a supply chain type attack, although at this time we have no evidence that they were successful,” the report said.
Talos detected the malefactors using a fake Windows update, created by the GotMet dropper, and a “somewhat novel approach to persistence”, according to security researchers.
“It enumerated the autorun values and, instead of creating a new one, replaced one of the existing good software autorun executables with the malware,” Talos explained. “This could potentially avoid detection or hinder forensic analysis.”
The malware has a hardcoded C2 IP actress and it communicates with the C2 server via HTTPS on the default port.
Moreover, the self-signed certificate on this server was issued on April 4, 2021, which Talos says indicates that preparation for this cyber campaign started as early as last year. ®