[ad_1]
Beneath analysis is reflecting our observations throughout month of March 2022. We additionally wish to thank Maria Jose Erquiaga for her contribution in introduction and help in the course of the strategy of writing.
Overview
Because the Russian-Ukrainian warfare continues over typical warfare, cybersecurity professionals witnessed their area turning into an actual frontier. Menace actors choosing sides [1], group members turning towards one another [2], some individuals handing out DDoS instruments [3], some individuals mixing in to show it into revenue [4], and plenty of different tales, proving that this new frontier is altering each day, and its direct affect just isn’t restricted to geographical boundaries.
Whereas assaults appear to be evolving each day, it’s difficult for one to remain updated with all that’s going round. Subsequently, we imagine that you will need to distinguish between data and actionable intelligence. In Cisco World Menace Alerts, we wish to share our observations associated to this battle throughout March of 2022 and uncover how we are able to flip them into actionable intelligence collectively.
Menace Actors within the Russian-Ukrainian Battle
For the reason that fast escalation of the battle in 2022, safety researchers and analysts have been gathering data concerning the adversarial teams, malware, methods, and varieties of assaults carried out [1, 5, 6]. Among the teams and malware associated to the battle are described in Desk 1:
Menace Actor | Malware | Location |
Gamaredon [7] | Pteranodon [8] | Crimea |
Sandworm [9] | CyclopsBlink [10] | Russia |
WizardSpider [11] | Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] | Russia |
Desk 1: Menace actors and their relations
Gamaredon
Gamaredon group, often known as Primitive Bear, Shuckworm and ACTINIUM, is a sophisticated persistent menace (APT) based mostly in Russia. Their actions may be traced again as early as 2013, previous to Russia’s annexation of the Crimean Peninsula. They’re identified to focus on state establishments of Ukraine and western authorities entities positioned in Ukraine. Ukrainian officers attribute them to Russian Federal Safety Service, often known as FSB [17].
Gamaredon typically leverages malicious workplace information, distributed by way of spear phishing as the primary stage of their assaults. They’re identified to make use of a PowerShell beacon referred to as PowerPunch to obtain and execute malware for ensuing levels of assaults. Pterodo and QuietSieve are fashionable malware households that they deploy for stealing data and varied actions on goal [18].
We had been in a position to gather community IoC’s associated to Gamaredon infrastructure. Throughout our preliminary evaluation, a lot of the indicators weren’t attributed on to any particular malware and so they had been relatively listed as a part of Gamaredon’s infrastructure. Subsequently, we wished to research their infrastructure to know their arsenal and deployment in better element.
Community Infrastructure
The primary a part of this analysis is targeted on WHOIS document evaluation. We noticed that Gamaredon domains had been dominantly registered by REG[.]RU. Creation dates are going again as early as February 2019 and have a altering sample for the registrant electronic mail. Till August 2020, we noticed that message-yandex.ru@mail[.]ru was the principle registrant electronic mail. Later, it shifted to macrobit@inbox[.]ru, blended with the occasional utilization of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Area creation dates in among the WHOIS data are as latest as March 2022.
Apart from WHOIS data, the domains we noticed that had been associated to Gamaredon campaigns had a distinguishing naming conference. Whereas dataset consisted of domains (with out TLDs) various between 4 to 16 characters, 70% p.c of them had been between 7 to 10 characters. Mixed with a restricted group of top-level domains (TLDs) used (see Desk 2), this leads us to a naming sample for additional attribution. Moreover, the utilization of TLDs on area creation appears to be rotating.
TLD | Distribution | TLD Utilization |
on-line | 42.07% | 08/2020-02/2021,02/2022 |
xyz | 29.47% | 06/2022-08/2022, 02/2022-03/2022 |
ru | 14.22% | 08/2020, 05/2021-02/2022 |
web site | 8.94% | 07/2020-02/2021 |
area | 2.64% | 02/2019-06/2020 |
Desk 2: TLD distribution and time in use
Within the case of area resolutions, we aimed to research the distribution of autonomous system numbers (ASN) utilized by resolved IP addresses (see Desk 3). As soon as extra, the proprietor REG[.]RU is main the checklist, proudly owning a lot of the domains. TimeWeb was the second this time, with 28% of the domains we discovered to be associated to Gamaredon actions. Domains having ‘. on-line’ and ‘.ru’ TLDs are recurrently updating their IP resolutions, virtually each day.
Proprietor | ASN | Common Networks | Distribution |
REG.RU, Ltd | AS197695 | 194.67.71.0/24 194.67.112.0/24 194.58.100.0/24 194.58.112.0/24 194.58.92.0/24 89.108.81.0/24 |
45.93% |
TimeWeb Ltd. | AS9123 | 185.104.114.0/24 188.225.77.0/24 188.225.82.0/24 94.228.120.0/24 94.228.123.0/24 |
28.25% |
EuroByte LLC | AS210079 | 95.183.12.42/32 | 10.56% |
AS-CHOOPA | AS20473 | 139.180.196.149/32 | 5.08% |
LLC Baxet | AS51659 | 45.135.134.139/32 91.229.91.124/32 |
2.23% |
System Service Ltd. | AS50448 | 109.95.211.0/24 | 1.82% |
Desk 3: Distribution of IP addresses per ASN and proprietor
Tooling
After understanding the infrastructure, let’s proceed with their arsenal. We checked out related file samples for the domains by way of Umbrella and Virustotal. A pattern of the outcomes may be seen under. Referring to a file sort, we are able to see that the Gamaredon group prefers malicious workplace paperwork with macros. Additionally, they’re identified to make use of Pterodo, which is a continuously evolving customized backdoor [8, 18].
Area | Hash | Kind | Malware |
acetica[.]on-line | 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 | Workplace Open XML Doc | Groooboor |
arvensis[.]xyz | 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f | Workplace Open XML Doc | Groooboor |
email-smtp[.]on-line | 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 | Workplace Open XML Doc | Groooboor |
gurmou[.]web site | f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b | Workplace Open XML Doc | Groooboor |
mail-check[.]ru | 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 | Workplace Open XML Doc | Groooboor |
office360-expert[.]on-line | 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 | Workplace Open XML Doc | Groooboor |
achilleas[.]xyz | f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d | Workplace Open XML Doc | Macro enabled Phrase Trojan |
anisoptera[.]on-line | 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad | MS Phrase Doc | Macro enabled Phrase Trojan |
erythrocephala[.]on-line | 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 | Workplace Open XML Doc | Macro enabled Phrase Trojan |
hamadryas[.]on-line | 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 | Workplace Open XML Doc | Macro enabled Phrase Trojan |
intumescere[.]on-line | 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 | MS Phrase Doc | Macro enabled Phrase Trojan |
limosa[.]on-line | 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f | MS Phrase Doc | Macro enabled Phrase Trojan |
mesant[.]on-line | 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a | MS Phrase Doc | Macro enabled Phrase Trojan |
sufflari[.]on-line | 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 | MS Phrase Doc | Macro enabled Phrase Trojan |
apusa[.]xyz | 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 | Win32 DLL | Pterodo |
atlanticos[.]web site | f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 | VBA | Pterodo |
barbatus[.]on-line | 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc | VBA | Pterodo |
bitsadmin2[.]area | cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b | Win32 EXE | Pterodo |
bitsadmin3[.]area | 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f | Win32 EXE | Pterodo |
bonitol[.]on-line | 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf | VBA | Pterodo |
buhse[.]xyz | aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 | Workplace Open XML Doc | Pterodo |
calendas[.]ru | 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 | Win32 EXE | Pterodo |
coagula[.]on-line | c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f | MS Phrase Doc | Pterodo |
corolain[.]ru | 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 | Win32 EXE | Pterodo |
gorigan[.]ru | 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 | Win32 EXE | Pterodo |
gorimana[.]web site | 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 | MS Phrase Doc | Pterodo |
krashand[.]ru | 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a | Win32 EXE | Pterodo |
libellus[.]ru | 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 | Win32 EXE | Pterodo |
melitaeas[.]on-line | 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 | Workplace Open XML Doc | Pterodo |
mullus[.]on-line | 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc | Win32 EXE | Pterodo |
upload-dt[.]hopto[.]org | 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 | MS Phrase Doc | Pterodo |
Desk 4: Domains, information (hash and sort), and malware title related to the Gamaredon group
After reviewing the behaviors of the related malicious samples, it’s simpler to construct attribution between the malicious area and the corresponding pattern. IP addresses resolved by the area are later used to ascertain uncooked IP command and management (C2) communication with a distinguishing URL sample. The next instance reveals how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and makes use of its IP tackle to construct a C2 URL (http|https<IP>/<random alphanumerical string>). Subsequently, DNS and outgoing internet visitors is essential for its detection.
Detecting Gamaredon Exercise with World Menace Alerts
In Cisco World Menace Alerts, we’re monitoring the Gamaredon group underneath the Gamaredon Exercise menace object. The menace description is enriched with MITRE references (see Determine 3).
Determine 4 reveals a detection pattern of Gamaredon exercise. Observe that the contaminated system tried to speak with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which gave the impression to be sinkholed to the OpenDNS IP tackle of 146.112.61.[.]107.
Conclusion
We’ve walked by way of the steps of manufacturing intelligence from data we’ve collected. We started our evaluation with an unattributed checklist of community IoC’s and had been in a position to establish distinctive patterns of their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware households. Subsequent, we confirmed how we turned it right into a detection of the Gamaredon group displayed within the Cisco World Menace Alerts portal.
To your comfort, right here’s a abstract of the intelligence we developed on this weblog put up:
Aliases | Primitive Bear, Shuckworm, ACTINIUM |
Kind | Menace Actor |
Originating From | Russia |
Targets | Ukranian State Organizations |
Malware used | Pterodo, Groooboor |
File Kind | Macro enabled workplace information, Win32 Exe, VBA |
TLD’s used | .on-line, .xyz, .ru, .web site, .area |
ASN’s used | REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd. |
References
[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff
[2] Conti ransomware’s inside chats leaked after siding with Russia: https://www.bleepingcomputer.com/information/safety/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/
[3] Hackers sound name to arms with digital weapon aimed toward Russian web sites: https://cybernews.com/information/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/
[4] Menace advisory: Cybercriminals compromise customers with malware disguised as pro-Ukraine cyber instruments: https://weblog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations
[6] What You Have to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/
[7] Gamaredon: https://assault.mitre.org/teams/G0047/
[8] Pteranodon: https://assault.mitre.org/software program/S0147/
[9] Sandworm: https://assault.mitre.org/teams/G0034/
[10] Menace Advisory: Cyclops Blink: https://weblog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html
[11] Wizard Spider: https://assault.mitre.org/teams/G0102/
[12] Cobalt Strike: https://assault.mitre.org/software program/S0154
[13] Emotet: https://assault.mitre.org/software program/S0367
[14] Conti: https://assault.mitre.org/software program/S0575
[15] Ryuk: https://assault.mitre.org/software program/S0446
[16] TrickBot: https://assault.mitre.org/software program/S0446
[17] Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/information/DKIB/Technicalpercent20reportpercent20Armagedon.pdf
[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/safety/weblog/2022/02/04/actinium-targets-ukrainian-organizations/
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!
Cisco Safe Social Channels
Share:
[ad_2]