Windows malware on Ukraine CERT’s radar right now • The Register


As Ukraine struggles for survival against Russian invaders, here’s a taste of some of the malware the country’s Computer Emergency Response Team (CERT) is fighting.

For starters, the team said earlier this month that miscreants had spammed emails posing as government agencies that contained links to bogus Windows antivirus updates. When these were downloaded and executed by a victim, more malware was introduced to the machine, including Cobalt Strike Beacon, which can take control of the PC with PowerShell scripts, log keystrokes, take screenshots, exfiltrate files, execute other malicious code, attempt to traverse the network, etc. Beacon is a legit tool developed by HelpSystems primarily for red team professionals.

According to Ukraine’s CERT, the emails appeared to come from Ukrainian government agencies and described ways to improve network security. They also asked the recipient to download critical security updates in the form of a 60MB executable file called BitdefenderWindowsUpdatePackage.exe. The real antivirus maker Bitdefender has, to be clear, nothing to do with it.

The download was hosted by a .fr website which we understand has been taken offline. This site was designed to convince visitors that the executable was legitimate. Infosec MalwareHunterTeam said it found what it believed to be the command-and-control server used to direct infected systems during this campaign. The domain name used to reach the server was, we are told, later deactivated by its registrar Namecheap following the filing of an abuse report.

If the victim downloaded and ran the fake antivirus update, they would see a screen asking them to install a Windows Update package. Rather than upgrading the operating system, the code would fetch and run additional binaries from Discord. These would eventually run Cobalt Strike Beacon on the PC.

One of these binaries would also decode a base64 payload, save it to disk, and execute it. This program would update the Windows registry to ensure persistence on the computer, then download, base64 decode and run two malware: GraphSteel and GrimPlant. Both are written in Go and both open a backdoor to the PC, allowing it to be commandeered remotely.

Ukraine’s CERT has previously warned of attempts to spread the Formbook, aka XLoader, Windows credential-stealing malware among state organizations in the country, as well as the distribution of Windows MicroBackdoor software.

The country’s CERT blamed the fake antivirus updates on UAC-0056, aka TA471 or SaintBear, a pro-Russian crew that has targeted Georgia and Ukraine in the past. The MicroBackdoor campaign was blamed on UAC-0051, aka UNC1151, a Belarus-linked gang. The XLoader activity has not been attributed to any group that we can recognize.

Speaking of Russia… According to the FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Tuesday, Kremlin-backed spies broke into an NGO by brute-forcing an idle user’s weak credentials, enrolling a device for authentication multifactor and exploiting PrintNightmare (CVE-2021 -34527) to gain administrator privileges to compromise the organization’s IT. The intrusion would have taken place as early as May of last year.

Make sure not only that you have patched or mitigated PrintNightmare in your Windows fleet, but also that inactive accounts, or those with low credits, cannot be reactivated and re-enrolled without higher permission.

Meanwhile, ESET this week warned that another strain of data-deleting Windows malware was being used against organizations in Ukraine. The malware, dubbed CaddyWiper, is the third destructive wiper deployed in Ukraine since or around the start of the invasion, the infosec industry has estimated.

ESET researchers said they detected CaddyWiper on “a few dozen systems in a limited number of organizations”. It was compiled the same day it was used against the networks. Interestingly, CaddyWiper has no significant code similarity to two other recently seen data destruction programs – HermeticWiper and IsaacWiper – and it does not wipe domain controller information.

“This is likely a way for attackers to keep their access inside the organization while disrupting operations,” ESET noted. CaddyWiper spreads through Microsoft Group Policy Objects, similar to how HermeticWiper spreads, indicating that its overlords already have control of a victim’s network beforehand.

See the above Ukrainian CERT advisories for more details on which files and domain names to block to prevent similar attacks. ®


Comments are closed.