Back

Recent Developments in Russian-Ukrainian Cyber Warfare, March 23, 2022

banner-alert

Over the past week, researchers detected some new campaigns being employed against Ukrainian organizations as part of the ongoing conflict between Russia and Ukraine. These include a phishing campaign pushing fake Windows security updates and a new wiper named CaddyWiper. Ukrainian officials also issued a warning about the ongoing attacks of InvisiMole, a hacking group connected to the Russian advanced persistent threat (APT) group Gamaredon.

Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) reported a Russian state-sponsored operation that has been active since May 2021. In this operation, the threat actors exploit default Multi-Factor Authentication (MFA) protocols to obtain initial access to organizations.

Fake Windows Antivirus Updates Deploy Cobalt Strike

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning that threat actors are distributing fake Windows antivirus (AV) updates that install and allow deploying Cobalt Strike and other malicious software.

In this case, there is a mass distribution of phishing emails impersonating Ukrainian governmental agencies. The phishing emails seem to be providing the targets “recommendations” and instructions on how to increase network security. The email’s content includes a link to a “French website” (now offline), which advises the targets to download “critical security updates,” in the form of a 60 MB file named “BitdefenderWindowsUpdatePackage.exe.” In addition, another website was discovered to be acting as the Command and Control (C&C) server for this campaign.

When the user downloads and runs this fake antivirus update, they are prompted to install a “Windows Update Package.” However, this in turn downloads and installs a file from the Discord CDN, which is a Cobalt Strike beacon. The same process fetches a Go downloader, which decodes and executes a base-64-encoded file. This file adds a new Windows registry key for persistence and downloads two more payloads – the GraphSteel backdoor and the GrimPlant backdoor. Moreover, it has been noted that all executables in the campaign are packed on the Themida tool, a defense evasion technique that protects them from reverse engineering, detection, and analysis.

Not many technical details have been provided on these two payloads; however, both backdoors, GraphSteel and GrimPlant, are malwares written in the Go language. The capabilities of these backdoors include reconnaissance, command execution, and file operations.

Specifically, GraphSteel’s features include gathering hostname, username, and IP address information, execution of commands, stealing account credentials, and using WebSocket and GraphQL to communicate with C2 using AES and base64 encryption. Regarding GrimPlant’s capabilities, it can gather IP addresses, hostnames, OS, usernames, and home dir. It can also execute commands received remotely and return results to C2. Lastly, it uses gRPC (HTTP/2+SSL) for C2 communication.

When it comes to attribution, the CERT-UA has associated - with medium confidence - the detected activity to the UAC-0056 group. It is a sophisticated Russian-speaking APT that uses a combination of phishing emails and custom backdoors to collect information from Ukrainian organizations. It has been observed increasing its phishing distribution and network compromise efforts in Ukraine since December 2021.

Ukraine’s Computer Emergency Response Team (CERT-UA) is warning that threat actors are distributing fake Windows antivirus (AV) updates.

CaddyWiper Targets Ukrainian Organizations

A newly discovered destructive data wiper was observed in attacks targeting Ukrainian organizations. The wiper malware, named CaddyWiper, has been observed destroying user data and partition information from attached drives across systems on compromised networks. The wiper has been spotted on several systems in a limited number of organizations.

The malware is designed to wipe data across Windows domains, and it uses the function DsRoleGetPrimaryDomainInformatio() to check if the given device is a domain controller, in which case it will not destroy it. It is believed that this tactic is used by the threat actor to maintain access inside the compromised networks of the organizations they target, all while they still heavily disturb operations by wiping other critical devices.

Also, the PE header of a sample discovered on the network of an undisclosed Ukrainian organization shows that the malware was deployed in attacks the same day it was compiled. The sample was not digitally signed, unlike both HermeticWiper and IsaacWiper.

It seems that CaddyWiper does not bear major code similarities to both HermeticWiper and IsaacWiper. However, much like HermeticWiper, there is evidence that suggests that the threat actors behind CaddyWiper have infiltrated the target’s network before deploying the wiper. This was concluded as CaddyWiper was observed being deployed via GPO.

A newly discovered destructive data wiper was observed in attacks targeting Ukrainian organizations. The wiper malware, named CaddyWiper, has been observed destroying user data and partition information from attached drives across systems on compromised networks.

InvisiMole Campaign Linked to Gamaredon APT Is Targeting Ukrainian Organizations

Security officials in Ukraine have warned of ongoing attacks by InvisiMole, a hacking group connected to the Russian advanced persistent threat (APT) group Gamaredon. CERT-UA stated that the department has been advised of new phishing campaigns against organizations in Ukraine, which spread the LoadEdge backdoor.

According to CERT-UA, the phishing emails that are being sent have an attached archive, 501_25_103.zip, together with a shortcut (LNK) file. If they are opened, an HTML Application file (HTA) downloads and executes VBScript that’s designed to deploy LoadEdge.

After the backdoor forms a link to an InvisiMole command-and-control (C2) server, other malware payloads are deployed and executed, such as: TunnelMole, malware that abuses the DNS protocol to form a tunnel for malicious software distribution; and RC2FM and RC2CL, backdoor modules for data collection and surveillance. Persistence is maintained via the Windows registry.

The hacking group InvisiMole was initially identified in 2018. The threat actors were active since 2013 (if not earlier). They were connected to attacks against organizations in Eastern Europe involved in military and diplomatic activities. (Read more on ZDNet here.)

CISA Reports a Russian State-Sponsored Group That Exploits Default MFA Protocols and the PrintNightmare Vulnerability

The CISA provided a report about a Russian state-sponsored threat actor that achieved initial access into organizations by exploiting default MFA protocols and the PrintNightmare vulnerability (CVE-2021-34527) since May 2021.

The threat actors successfully added a new device for MFA that is used to access a network by taking advantage of misconfigured accounts set to default MFA protocols. This was done after the threat actors used compromised credentials of non-governmental organizations that use Cisco’s Duo MFA. The victim account had been un-enrolled from Duo due to a long period of inactivity, but was not disabled in the Active Directory.

The CISA provided a report about a Russian state-sponsored threat actor that achieved initial access into organizations by exploiting default MFA protocols and the PrintNightmare vulnerability.

Using the compromised account, the threat actors exploited the PrintNightmare vulnerability to escalate privileges. PrintNightmare is a critical Windows Print Spooler vulnerability that has been massively exploited in the wild since it was published in 2021. In addition, the threat actors modified the domain controller ‘hosts’ file to redirect Duo MFA calls to localhost instead of the Duo server. This change prevented the MFA service from contacting its server to validate the MFA login – which effectively disabled MFA for active domain accounts.

Next, the threat actors successfully authenticated to the victim’s VPN and created RDP connections to Windows domain controllers. The threat actors obtained additional domain accounts and changed the MFA configuration file in the same way described earlier. Finally, the threat actors performed lateral movement and access to cloud storage, email accounts, and other sensitive data.

Interested in learning more about how you can protect your organization from cyber attack with CyberProof’s Managed Detection & Response services? Contact us!