Russian Espionage Group Targets Ukrainian Military with Malware via Telegram
A suspected Russian hybrid espionage and influence operation has been observed delivering a mix of Windows and Android malware to target the Ukrainian military under the Telegram persona Civil Defense.
Google's Threat Analysis Group (TAG) and Mandiant are tracking the activity under the name UNC5812. The threat group, which operates a Telegram channel named civildefense_com_ua, was created on September 10, 2024. As of writing, the channel has 184 subscribers. It also maintains a website at civildefense.com[.]ua that was registered on April 24, 2024.
"'Civil Defense' claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters," the company said in a report shared with The Hacker News.
- Should these programs be installed on Android devices that have Google Play Protect disabled, they are engineered to deploy an operating system-specific commodity malware along with a decoy mapping application dubbed SUNSPINNER.
- UNC5812 is also said to be actively engaged in influence operations, disseminating narratives and soliciting content intended to undermine support for Ukraine's mobilization and military recruitment efforts.
"UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities, and highlights the prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine," Google Threat Intelligence Group said.
Civil Defense, which has had its Telegram channel and website promoted by other legitimate, established Ukrainian-language Telegram channels, aims to direct victims to its website from where malicious software is downloaded depending on the operating system.
For Windows users, the ZIP archive leads to the deployment of a newly discovered PHP-based malware loader named Pronsis that's used to distribute SUNSPINNER and an off-the-shelf stealer malware known as PureStealer that's advertised for anywhere between $150 for a monthly subscription to $699 for a lifetime license.
SUNSPINNER, for its part, displays to users a map that renders purported locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server.
For those who are navigating to the website from Android devices, the attack chain deploys a malicious APK file (package name: "com.http.masters") that embeds a remote access trojan referred to as CraxsRAT.
- The website also includes instructions that guide victims on how to disable Google Play Protect and grant it all the requested permissions, allowing the malware to function unimpeded.
After the malware was publicly exposed by Cyfirma in late August 2023, EVLF, the threat actor behind the project, decided to cease activity, but not before selling their Telegram channel to a Chinese-speaking threat actor.
As of May 2024, EVLF is said to have stopped development on the malware due to scammers and cracked versions, but said they are working on a new web-based version that can be accessed from any machine.
"While the Civil Defense website also advertises support for macOS and iPhones, only Windows and Android payloads were available at the time of analysis," Google said.
"The website's FAQ contains a strained justification for the Android application being hosted outside the App Store, suggesting it is an effort to 'protect the anonymity and security' of its users, and directing them to a set of accompanying video instructions."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
CERT-UA
Computer Emergency Response Team of Ukraine
CERT-UA - Government Emergency Response Team of Ukraine, which operates as part of the State Special Communications and Information Protection Service of Ukraine.Since 2009 he has been an accredited member of the FIRST Security Incident Response Team Forum (https://www.first.org/members/teams/cert-ua).
CERT-UA tasks:
- accumulation and analysis of data on cyber incidents, maintenance of the state register of cyber incidents;
- providing owners of cybersecurity facilities with practical assistance in preventing, detecting and eliminating the consequences of cyber incidents on these facilities;
- organization and holding of practical seminars on cybersecurity for subjects of the national cybersecurity system and owners of cybersecurity objects;
- preparation and posting on its official website recommendations for combating modern types of cyberattacks and cyber threats;
- interaction with law enforcement agencies, ensuring their timely information about cyberattacks;
- interaction with foreign and international organizations on cyber incident response, in particular through participation in the Forum of FIRST Security Incident Response Teams with the payment of annual membership fees;
- interaction with Ukrainian teams to respond to computer emergencies, as well as other enterprises, institutions and organizations, regardless of the form of ownership, which carry out activities related to the security of cyberspace;
- processing of information received from citizens about cyber incidents on cybersecurity objects;
- assistance to state bodies, local governments, military formations formed in accordance with the law, enterprises, institutions and organizations, regardless of ownership, as well as citizens of Ukraine in resolving issues of cybersecurity and counteraction to cyber threats.
Cyberattack UAC-0001 (APT28): PowerShell command in the clipboard as a "entry point" (CERT-UA#11689)
The government's CERT-UA computer emergency response team is investigating the activity of distributing e-mails to local governments with the topic "Replacement of the table" and a link that mimics the Google table.
RDP configuration files as a means of obtaining remote access to a computer or "Rogue RDP" (CERT-UA#11690)
10/23/2024
==
General information
Government Emergency Response Team of Ukraine CERT-UA 10/22/2024 received information on mass distribution among public authorities, enterprises of major industries and military formations of e-mails with topics related to, allegedly, the issue of "integration" with Amazon services , Microsoft and the introduction of the architecture of "zero" trust (Zero trust architecture, ZTA).
As an attachment, these emails contained configuration files for setting up the RDP Remote Desktop Protocol (".rdp"), the launch of which provided the installation of an outgoing RDP connection to the attacker's server.
- However, due to the parameters of the RDP file, during such an RDP connection to a remote server not only access was provided to disks, network resources, printers, COM ports, audio devices, clipboard and other resources on the local computer, but also technical prerequisites could be created for startup on the computer victims of third-party programs/scripts.
According to the information of profile organizations in other countries, we can say that activity has a broad geography.
A study of related domain names suggests that infrastructure for cyberattacks has been prepared since at least August 2024.
- Please note that the IP addresses and domain names listed in the "Cybercrumbs Indicators" section have been identified by a number of steps and may not be relevant to the cyber incident in question.
Obviously, the reduction of the attack surface can be achieved by a combination of technical measures, in particular:
- blocking ".rdp" files on the mail gateway
- blocking the ability to run any ".rdp" files by users (creation of exceptions)
- Internet screen settings to limit the ability to establish mstsc.exe RDP connections to Internet resources
- setting up group policies (administrative templates) to prohibit the redirection of EOM resources using RDP ("Remote Desktop Services" -> "Remote Desktop Session Host" -> "Device and Resource Redirection" -> "Not all...")
In order to find possible signs of implementation of the described cyber threat, we recommend checking the logs of network interaction with the given IP-dress and domain names, as well as, for the current month, to analyze the legitimacy separately all source network connections to any IP addresses on the Internet (port 3389/tcp).
The described activity is tracked by the UAC-0215 identifier.
Cyber threat indicators
Files:
a5de73d69c1a7fbae2e71b98d48fe9b5 34c88cd591f73bc47a1a0fe2a4f594f628be98ad2366eeb4e467595115d8505a Zero Trustf Architecture 8bcb741a204c25232a11a7084aa221f 071276e907f185d9e341d549b198e60741e2c7f8d64dd2ca2c5d88d50b2c6ffc ZTSilice Device 86f58115c891ce91b7364e5ff0314b31 6e6680786fa5b023cf301b6bc5faaa89c86dc34b696f4b078cf22b1b353dif3cation Device Confice 80b3cad4f70b6ea8924aa13d2730328b 31f2cc157248aec5135147073e49406d057bebf78b3361dd7cbb6e37708fbcc Zero Trust Architecture c0da30b71d58e071fc5863381444d9f0 88fd6a36e8a61597dd71755b985e5fcd0b8308b69fc0f4b0fc7960fb80018622 1595266bb78dc1e3d67f929154824c74 b8327671ebc20db6f09efc4f19bd8c39d9e28c9a37bdd15b2fd62ade208d2e8a Device Security 222c83d156a41735c38cc552a7084a86 a5bbb109faefcecba695a84a737f5e47fa418cea39d654bb512a6f4a0b148758 Device Configuration Verp fa9af43e9bbb55b7512b369084d91f4d 5534cc837ba4fa3726322883449b3e97ca3e0d28c0ccf468b868397fdfa44e0b Zero Trustf Architecture 281a28800a4ba744bfde7b4aff46f24e b9ab481e7a9a92cfa2d53de8e7a3c75287cff6a3374f4202ec16ea9e03d80a0b Zero Trust Security d37cd2c462affe0643076b20c5ff561e 18a078a976734c9ec562f5dfa3f5904ef5d37000fb8c1f5bd0dc2dee47203bf9 Device Configuration Ver e465a4191a93195094a803e5d4703a90 bb4d5a3f7a40c895882b73e1aca8c71ea40cef6c4f6732bec36e6342f6e2487a AWS IAM Quick 3f753810430b26b94a172fbf816e7d76 ef4bd88ec5e8b401594b22632fd05e401658cf78de681f81409eadf93f412ebd Device Configuration 434ffae8cfc3caa370be2e69ffaa95d1 1cfe29f214d1177b66aec2b0d039fec47dd94c751fa95d34bc5da3bbab02213a Zero Trust Security Environment c287c05d91a19796b2649ebbd27394b 3a2496db64507311f5fbd3aba0228b653f673fc2152a267a1386cbab33798db5 ZTS Device Compatib aabbfd1acd3f3a2212e348f2d6f169fc 984082823dc1f122a1bb505700c25b27332f54942496814dfd0c68de0eba59dc AWS IAM Configur b0a0ad4093e781a278541e4b01daa7a8 383e63f40aeecd508e1790a8b7535e41b06b3f6984bb417218ca96e554b1164b Zero Trust Security a18a1cad9df5b409963601c8e30669e4 296d446cb2ad93255c45a2d4b674bbacb6d1581a94cf6bb5e54df5a742502680 Device Security Request cbbc4903da831b6f1dc39d0c8d3fc413 129ba064dfd9981575c00419ee9df1c7711679abc974fa4086076ebc3dc964f5 ZTS Device Compatibility T bd711dc427e17cc724f288cc5c3b0842 f2acb92d0793d066e9414bc9e0369bd3ffa047b40720fe3bd3f2c0875d17a1cb AWS IAM Quick Start b38e7e8bba44bc5619b2689024ad9fca f357d26265a59e9c356be5a8ddb8d6533d1de222aae969c2ad4dc9c40863bfe8 AWS IAM Compliance Check. 40f957b756096fa6b80f95334ba92034 280fbf353fdffefc5a0af40c706377142fff718c7b87bc8b0daab10849f388d0 AWS IAM Configur db326d934e386059cc56c4e61695128e 8b45f5a173e8e18b0d5c544f9221d7a1759847c28e62a25210ad8265f07e96d5 Zero Trust f58cf55b944f5942f1d120d95140b800 ba4d58f2c5903776fe47c92a0ec3297cc7b9c8fa16b3bf5f46242e7092b46 Zero Trust Security
Network:
yulia.antonenko@townoflakelure.com alexandra.gerst@townoflakelure.com oleksii.myronov@townoflakelure.com central-1.awsplatform [.]online ca-west-1.mfa-gov[.]cloud central-2-aws.ua-aws [.]army eu-central-1-aws.mfa-gov[.]cloud eu-central-1.mfa-gov[.]cloud eu-central-1.ukrtelecom [.]cloud eu-central-2-aws.ua-aws [.]army eu-north-1-aws.ua-energy [.]cloud eu-north-1-aws.ua-gov[.]cloud eu-south-1-aws.mfa-gov[.]cloud eu-south-2-aws.mfa-gov[.]cloud eu-southeast-1-aws.gov-ua [.]cloud eu-southeast-1-aws.govtr[.]cloud eu-southeast-1-aws.zero-trust [.]solutions us-east-1-aws.mfa-gov[.]cloud us-east-2-aws.ua-gov[.]cloud us-east-console.awsplatform [.]online us-west-1-amazon.ua-energy [.]cloud us-west-1.aws-ukraine [.]cloud us-west-1.ua-aws [.]army us-west-1.ukrtelecom[.]cloud us-west-2-aws.mfa-gov[.]cloud zero-trust.solutions 2024-09-10 ukrtelecom.cloud 2024-08-15 awsplatform.online 2024-08-19 aws-ukraine.cloud 2024-08-15 aws-s3.cloud 2024-09-16 aws-meet.cloud 2024-09-20 aws-il.cloud 2024-09-24 aws-data.cloud 2024-09-26 aws-meetings.cloud 2024-09-26 aws-secure.cloud 2024-09-26 aws-join.cloud 2024-09-27 aws-online.cloud 2024-10-08 gov-au [.]cloud 2024-08-07 gov-aws [.]cloud 2024-09-27 gov-fi [.]cloud 2024-08-14 gov-gr [.]cloud 2024-08-14 gov-lt [.]cloud 2024-08-14 gov-lv [.]cloud 2024-09-23 gov-pl[.]cloud 2024-08-23 gov-sk[.]cloud 2024-08-26 gov-trust [.]cloud 2024-09-27 gov-ua [.]cloud 2024-08-15 govps [.]cloud 2024-08-14 govtr[.]cloud 2024-08-15 govua [.]cloud 2024-08-15 eru-gov [.]cloud 2024-09-10 feedzai-gov [.]cloud 2024-10-10 md-gov [.]cloud 2024-09-10 mf-gov [.]cloud 2024-09-10 mo-gov [.]cloud 2024-09-10 mpo-gov [.]cloud 2024-09-10 mpsv-gov [.]cloud 2024-09-10 msmt-gov [.]cloud 2024-09-10 mv-gov [.]cloud 2024-09-10 my-gov [.]cloud 2024-08-03 mzd-gov [.]cloud 2024-09-10 mze-gov [.]cloud 2024-09-10 mzp-gov [.]cloud 2024-09-10 mzv-gov [.]cloud 2024-09-10 nakit-gov [.]cloud 2024-09-10 nbu-gov [.]cloud 2024-09-10 nukib-gov [.]cloud 2024-09-10 policie-gov [.]cloud 2024-09-10 mmr-gov [.]cloud 2024-09-10 uohs-gov [.]cloud 2024-09-10 uoou-gov [.]cloud 2024-09-10 vlada-gov [.]cloud 2024-09-10 voa-gov [.]cloud 2024-09-24 mfa-gov [.]cloud 2024-08-15 mfa-gov [.]cloud 2024-08-15 mfa-gov-il [.]cloud 2024-09-17 mfa-gov-il [.]cloud 2024-09-17 mfa-gov-tr[.]cloud 2024-08-14 mfa-gov-tr[.]cloud 2024-08-14 mil-be [.]cloud 2024-08-21 mil-ee [.]cloud 2024-08-13 mil-pl [.]cloud 2024-08-23 mil-pt [.]cloud 2024-09-09 mod-gov-il [.]cloud 2024-09-17 mod-gov-il [.]cloud 2024-09-17 s3-acronis [.]cloud 2024-09-10 s3-army [.]cloud 2024-08-15 s3-atlassian [.]cloud 2024-09-09 s3-aws [.]cloud 2024-09-17 s3-bah [.]cloud 2024-09-10 s3-be [.]cloud 2024-08-21 s3-blackberry [.]cloud 2024-09-05 s3-csis [.]cloud 2024-09-12 s3-de [.]cloud 2024-08-26 s3-dgap [.]cloud 2024-09-12 s3-dk [.]cloud 2024-08-21 s3-dnc [.]cloud 2024-09-04 s3-esa[.]cloud 2024-09-03 s3-fbi [.]cloud 2024-09-10 s3-hudson [.]cloud 2024-09-13 s3-ida[.]cloud 2024-09-12 s3-iri [.]cloud 2024-09-12 s3-knowbe4[.]cloud 2024-09-04 s3-marcus [.]cloud 2024-09-13 s3-monitoring [.]cloud 2024-09-09 s3-nato [.]cloud 2024-08-23 s3-ned [.]cloud 2024-09-13 s3-nsa[.]cloud 2024-09-27 s3-proofpoint [.]cloud 2024-09-02 s3-pt[.]cloud 2024-09-04 s3-rackspace [.]cloud 2024-09-03 s3-rand [.]cloud 2024-09-10 s3-spacex[.]cloud 2024-09-13 s3-state [.]cloud 2024-09-12 s3-stig [.]cloud 2024-08-30 s3-ua[.]cloud 2024-08-28 s3-ucia[.]cloud 2024-09-10 s3-zoho[.]cloud 2024-09-17 ua-aws.army 2024-09-12 ua-energy [.]cloud 2024-08-26 ua-gov [.]cloud 2024-08-19 ua-gov [.]cloud 2024-08-19 ua-mil [.]cloud 2024-08-08 ua-sec [.]cloud 2024-08-21 ua-se [.]cloud 2024-10-12 ua-sn [.]cloud 2024-10-12 37.153.155 [.]143 (Email) 45.42.142 [.]49 (Email) 45.42.142 [.]89 (Email) 199.204.86 [.]87 (Email) 181.215.148 [.]194 (Email) 104.247.120 [.]157 (Email) 204.111.198 [.]27 (Email) 136.0.0[.]11 (Email) 38.180.110 [.]238 179.43.148 [.]82 11/45/230[.]105 45.141.58 [.]60 95.217.113 [.]133 185.187.155 [.]74 141.195.117 [.]125 185.76.79 [.]178 2.58.201 [.]112 89.46.234 [.]115 84.32.188 [.]193 38.180.146 [.]210 84.32.188 [.]197 45.80.193 [.]9 45.67.85 [.]40 45.134.111 [.]123 84.32.188 [.]153 62.72.7[.]213 93.188.163 [.]16 23.160.56 [.]122 95.156.207 [.]121 84.32.188 [.]148 166.0.187 [.]233 185.216.72 [.]196 38.180.146 [.]230 84.32.188 [.]200 45.11.231 [.]8 162.252.175 [.]233 13.49.21 [.]253 179.43.163 [.]18 46.19.141 [.]186 193.29.59 [.]9 135.181.130 [.]232 45.134.110 [.]83 185.187.155 [.]73 23.160.56 [.]100
Graphic images
Fig.1 Example of a chain of lesions
No comments:
Post a Comment