Beneath analysis is reflecting our observations throughout month of March 2022. We additionally want to thank Maria Jose Erquiaga for her contribution in introduction and help through the strategy of writing.
Because the Russian-Ukrainian battle continues over standard warfare, cybersecurity professionals witnessed their area turning into an actual frontier. Menace actors selecting sides , group members turning in opposition to one another , some individuals handing out DDoS instruments , some individuals mixing in to show it into revenue , and plenty of different tales, proving that this new frontier is altering every day, and its direct affect isn’t restricted to geographical boundaries.
Whereas assaults appear to be evolving every day, it’s difficult for one to remain updated with all that’s going round. Due to this fact, we consider that you will need to distinguish between info and actionable intelligence. In Cisco World Menace Alerts, we want to share our observations associated to this battle throughout March of 2022 and uncover how we will flip them into actionable intelligence collectively.
Menace Actors within the Russian-Ukrainian Battle
Because the fast escalation of the battle in 2022, safety researchers and analysts have been gathering info concerning the adversarial teams, malware, strategies, and kinds of assaults carried out [1, 5, 6]. A few of the teams and malware associated to the battle are described in Desk 1:
|Gamaredon ||Pteranodon ||Crimea|
|Sandworm ||CyclopsBlink ||Russia|
|WizardSpider ||Cobalt Strike , Emotet , Conti , Ryuk , Trickbot ||Russia|
Desk 1: Menace actors and their relations
Gamaredon group, also referred to as Primitive Bear, Shuckworm and ACTINIUM, is a complicated persistent menace (APT) based mostly in Russia. Their actions will be traced again as early as 2013, previous to Russia’s annexation of the Crimean Peninsula. They’re identified to focus on state establishments of Ukraine and western authorities entities situated in Ukraine. Ukrainian officers attribute them to Russian Federal Safety Service, also referred to as FSB .
Gamaredon typically leverages malicious workplace information, distributed via spear phishing as the primary stage of their assaults. They’re identified to make use of a PowerShell beacon referred to as PowerPunch to obtain and execute malware for ensuing phases of assaults. Pterodo and QuietSieve are common malware households that they deploy for stealing info and varied actions on goal .
We have been capable of acquire community IoC’s associated to Gamaredon infrastructure. Throughout our preliminary evaluation, a lot of the indicators weren’t attributed on to any particular malware and so they have been slightly listed as a part of Gamaredon’s infrastructure. Due to this fact, we needed to research their infrastructure to grasp their arsenal and deployment in larger element.
The primary a part of this analysis is targeted on WHOIS document evaluation. We noticed that Gamaredon domains have been dominantly registered by REG[.]RU. Creation dates are going again as early as February 2019 and have a altering sample for the registrant e mail. Till August 2020, we noticed that message-yandex.ru@mail[.]ru was the primary registrant e mail. Later, it shifted to macrobit@inbox[.]ru, combined with the occasional utilization of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Area creation dates in among the WHOIS data are as current as March 2022.
Aside from WHOIS info, the domains we noticed that have been associated to Gamaredon campaigns had a distinguishing naming conference. Whereas dataset consisted of domains (with out TLDs) various between 4 to 16 characters, 70% % of them have been between 7 to 10 characters. Mixed with a restricted group of top-level domains (TLDs) used (see Desk 2), this leads us to a naming sample for additional attribution. Moreover, the utilization of TLDs on area creation appears to be rotating.
Desk 2: TLD distribution and time in use
Within the case of area resolutions, we aimed to research the distribution of autonomous system numbers (ASN) utilized by resolved IP addresses (see Desk 3). As soon as extra, the proprietor REG[.]RU is main the checklist, proudly owning a lot of the domains. TimeWeb was the second this time, with 28% of the domains we discovered to be associated to Gamaredon actions. Domains having ‘. on-line’ and ‘.ru’ TLDs are recurrently updating their IP resolutions, virtually every day.
|Proprietor||ASN||In style Networks||Distribution|
|System Service Ltd.||AS50448||126.96.36.199/24||1.82%|
Desk 3: Distribution of IP addresses per ASN and proprietor
After understanding the infrastructure, let’s proceed with their arsenal. We checked out related file samples for the domains via Umbrella and Virustotal. A pattern of the outcomes will be seen under. Referring to a file kind, we will see that the Gamaredon group prefers malicious workplace paperwork with macros. Additionally, they’re identified to make use of Pterodo, which is a continually evolving customized backdoor [8, 18].
|acetica[.]on-line||4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52||Workplace Open XML Doc||Groooboor|
|arvensis[.]xyz||03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f||Workplace Open XML Doc||Groooboor|
|email-smtp[.]on-line||404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83||Workplace Open XML Doc||Groooboor|
|gurmou[.]website||f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b||Workplace Open XML Doc||Groooboor|
|mail-check[.]ru||41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4||Workplace Open XML Doc||Groooboor|
|office360-expert[.]on-line||611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608||Workplace Open XML Doc||Groooboor|
|achilleas[.]xyz||f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d||Workplace Open XML Doc||Macro enabled Phrase Trojan|
|anisoptera[.]on-line||8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad||MS Phrase Doc||Macro enabled Phrase Trojan|
|erythrocephala[.]on-line||4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573||Workplace Open XML Doc||Macro enabled Phrase Trojan|
|hamadryas[.]on-line||9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418||Workplace Open XML Doc||Macro enabled Phrase Trojan|
|intumescere[.]on-line||436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360||MS Phrase Doc||Macro enabled Phrase Trojan|
|limosa[.]on-line||0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f||MS Phrase Doc||Macro enabled Phrase Trojan|
|mesant[.]on-line||936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a||MS Phrase Doc||Macro enabled Phrase Trojan|
|sufflari[.]on-line||13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36||MS Phrase Doc||Macro enabled Phrase Trojan|
|buhse[.]xyz||aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492||Workplace Open XML Doc||Pterodo|
|coagula[.]on-line||c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f||MS Phrase Doc||Pterodo|
|gorimana[.]website||90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273||MS Phrase Doc||Pterodo|
|melitaeas[.]on-line||55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6||Workplace Open XML Doc||Pterodo|
|upload-dt[.]hopto[.]org||4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7||MS Phrase Doc||Pterodo|
Desk 4: Domains, information (hash and kind), and malware identify related to the Gamaredon group
After reviewing the behaviors of the related malicious samples, it’s simpler to construct attribution between the malicious area and the corresponding pattern. IP addresses resolved by the area are later used to determine uncooked IP command and management (C2) communication with a distinguishing URL sample. The next instance exhibits how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and makes use of its IP deal with to construct a C2 URL (http|https<IP>/<random alphanumerical string>). Due to this fact, DNS and outgoing net visitors is essential for its detection.
Detecting Gamaredon Exercise with World Menace Alerts
In Cisco World Menace Alerts, we’re monitoring the Gamaredon group beneath the Gamaredon Exercise menace object. The menace description is enriched with MITRE references (see Determine 3).
Determine 4 exhibits a detection pattern of Gamaredon exercise. Observe that the contaminated gadget tried to speak with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which gave the impression to be sinkholed to the OpenDNS IP deal with of 146.112.61.[.]107.
We’ve walked via the steps of manufacturing intelligence from info we’ve collected. We started our evaluation with an unattributed checklist of community IoC’s and have been capable of establish distinctive patterns of their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware households. Subsequent, we confirmed how we turned it right into a detection of the Gamaredon group displayed within the Cisco World Menace Alerts portal.
In your comfort, right here’s a abstract of the intelligence we developed on this weblog submit:
|Aliases||Primitive Bear, Shuckworm, ACTINIUM|
|Targets||Ukranian State Organizations|
|Malware used||Pterodo, Groooboor|
|File Sort||Macro enabled workplace information, Win32 Exe, VBA|
|TLD’s used||.on-line, .xyz, .ru, .website, .area|
|ASN’s used||REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd.|
 Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff
 Conti ransomware’s inside chats leaked after siding with Russia: https://www.bleepingcomputer.com/information/safety/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/
 Hackers sound name to arms with digital weapon aimed toward Russian web sites: https://cybernews.com/information/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/
 Menace advisory: Cybercriminals compromise customers with malware disguised as pro-Ukraine cyber instruments: https://weblog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
 Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations
 What You Have to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/
 Gamaredon: https://assault.mitre.org/teams/G0047/
 Pteranodon: https://assault.mitre.org/software program/S0147/
 Sandworm: https://assault.mitre.org/teams/G0034/
 Menace Advisory: Cyclops Blink: https://weblog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html
 Wizard Spider: https://assault.mitre.org/teams/G0102/
 Cobalt Strike: https://assault.mitre.org/software program/S0154
 Emotet: https://assault.mitre.org/software program/S0367
 Conti: https://assault.mitre.org/software program/S0575
 TrickBot: https://assault.mitre.org/software program/S0446
 Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/information/DKIB/Technicalpercent20reportpercent20Armagedon.pdf
 ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/safety/weblog/2022/02/04/actinium-targets-ukrainian-organizations/
We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!
Cisco Safe Social Channels