Yoroi-ZLab: Ukraine is again under a cyber attacks campaign, probably by Gamaredon
Ukraine is again under a cyber attack, probably by Gamaredon. It has been discovered by Cybaze-Yoroi ZLAB cyber security experts, who spotted a new suspicious email potentially linked to the Russian APT. The researchers dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs. The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts. At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.
The cyber offensive spreads by mail with malicious attachments and a document as a lure
According to the cyber security experts, the mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. It has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only one understands it may be associated to the Gamaredon implant. After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive, containing many files. Once extracted, the first command is to check for the presence of malware analysis tools. If Wireshark or Procexp are detected, the implant kill itself. Otherwise, it copies. At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. Written in Ukraine language, it contains information about a criminal charge.
The cyber security experts: How the Russian APT chain of infection works
Yoroi-ZLab revealed that, exploring the LNK file. is possible to see it’s able to start the “winupd.exe” file, with a particular parameter. This behavior indicates the executable is another Self Extracting Archive, this time password protected. When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, with only two code lines. So, the execution flow moves on “1106.cmd”. The source code is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\”. This tries to download another malicious file. Furthermore, in the server there a continuously modifications of associated records: the attacker changed many time domain names in the latest period. Moreover, querying the services behind the latest associated DNS record, the host responds with “403 Forbidden” message, indicating Gamaredon infrastructure may still be operative.
Gamaredon also exploits a legit RAT to infiltrate in Ukraine
The malicious scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script. Also, it collects all the information about victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new cyber attack stage. It’s another SFX archive with different files. According to the cyber security researchers, this archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password. Inside, there are files part of a legit Remote Administration Tool (RAT) named UltraVNC. This tries to establish a connection to a VPS hosted by the Russian provider IPServer.