Skip links

The Windows malware on Ukraine CERT’s radar

As Ukraine fights for survival against invading Russian forces, here’s a taste of some of the malware the nation’s Computer Emergency Response Team (CERT) is battling.

To start, the team earlier this month said miscreants had spammed out emails impersonating government agencies containing links to fake Windows antivirus updates. When these were downloaded and run by a victim, more malware was brought onto the machine, including Cobalt Strike Beacon, which can take over the PC with PowerShell scripts, log keystrokes, take screenshots, exfiltrate files, run other malicious code, attempt to traverse the network, and so on. Beacon is a legit tool developed by HelpSystems mainly for red-team professionals.

According to Ukraine’s CERT, the emails appeared to come from Ukrainian government agencies, and outlined ways to improve network security. They also told the recipient to download critical security updates in the form of a 60MB executable file dubbed BitdefenderWindowsUpdatePackage.exe. The actual antivirus maker Bitdefender has, to be clear, nothing to do with this.

The download was hosted by a .fr website that we understand has been taken offline. That site was designed to convince visitors that the executable was legit. Infosec outfit MalwareHunterTeam said it found what it believed to be the command-and-control server used to direct systems infected during this campaign. The domain name used to reach the server was, we’re told, later disabled by its registrar Namecheap following the filing of an abuse report.

If the victim downloaded and ran the fake antivirus update, they would see a screen that told them to install a Windows Update package. Rather than upgrade the operating system, though, the code would fetch and run additional binaries from Discord. These would eventually run Cobalt Strike Beacon on the PC.

One of those binaries would also base64-decode a payload, save it to disk, and run it. That program would update the Windows Registry to achieve persistence on the computer, and then download, base64-decode, and run two pieces of malware: GraphSteel and GrimPlant. Both are written in Go, and both open a backdoor to the PC, allowing it to be commandeered from afar.

Ukraine’s CERT has previously warned of attempts to spread the credential-stealing Formbook, aka XLoader, Windows malware within the nation’s state organizations as well as the distribution of the MicroBackdoor Windows software nasty.

The nation’s CERT blamed the fake antivirus updates on UAC-0056, aka TA471 or SaintBear, a pro-Russian crew that has targeted Georgia and Ukraine in the past. The MicroBackdoor campaign was blamed on UAC-0051, aka UNC1151, a Belarus-linked gang. The XLoader activity was not attributed to any group we can recognize.

Speaking of Russia… According to the FBI and the US government’s Cybersecurity and Infrastructure Security Agency on Tuesday, Kremlin-backed spies broke into an NGO by brute-forcing an inactive user’s weak credentials, enrolling a device for multi-factor authentication, and exploiting PrintNightmare (CVE-2021-34527) to obtain admin privileges to compromise the organization’s IT. The intrusion is said to have happened as early as May last year.

Not only ensure you’ve patched or mitigated PrintNightmare in your Windows fleet, but also make sure dormant accounts, or those with weak creds, cannot be reactivated and re-enrolled without higher authorization.

Meanwhile, ESET this week warned another data-deleting Windows malware strain is being used against Ukrainian organizations. This software nasty, dubbed CaddyWiper, is the third such destructive wiper deployed in Ukraine since or around the invasion began, the infosec biz reckoned.

The ESET researchers said they detected CaddyWiper on a “few dozen systems in a limited number of organizations.” It was compiled the same day it was used against networks. Interestingly, CaddyWiper doesn’t have significant code similarity with two other data-destroying programs seen lately – HermeticWiper and IsaacWiper – and it doesn’t erase information on domain controllers.

“This is probably a way for the attackers to keep their access inside the organization while still disturbing operations,” ESET noted. CaddyWiper spreads through Microsoft Group Policy Objects, similar to how HermeticWiper spread, indicating its overlords already have control of a victim’s network beforehand.

See the above advisories from Ukraine’s CERT for details of files and domain names to block to keep out similar attacks. ®

Source