Then, as shown in Figure 4, it creates a task in the scheduler to run the component every 10 minutes to ensure persistence. Dropper dumps payload files (Vermin, Quasar or Sobaken) into a folder %APPDATA%in a subfolder with the name of a legitimate company (usually Adobe, Intel or Microsoft). The installation procedure is the same for the three Malvari modifications used by this group. The version and copyright data suggest that this is a fake File disguised as a self-extracting RAR archive. The attackers used hxxp: // chip-tuning lg ua / to deliver the HTA files and the final payload.įigure 3. The first public information about this vulnerability appeared in April 2017, and Microsoft closed it, releasing a security update for all versions of Windows and Office.Īccording to ESET telemetry, these attackers began using this method in May 2017. Then the malicious script is launched mshta.exe. The Word process sends an HTTP request for an HTA file containing a malicious script located on a remote server. This vulnerability applies when the victim opens a specially crafted Word document. Method number 3: Word document + exploit CVE-2017-0199. Presumably, the victims launch this file, waiting for further unpacking of the contents of the self-extracting archive, but thereby unwittingly launch a malicious executable file. Method # 2 : Email applications masquerading as RAR self-extracting archives.Įxample: an e-mail with the application “Mandate_MO_Dodatki_ to_Ionstruktsii_440_startor” (“Order of the Ministry of Defense, Appendices to Instruction No. Executable file masquerading as a Word document In fact, these are executable files that use Word, Excel, PowerPoint or Acrobat Reader icons to avoid suspicion.Īn example of a file name: as shown in Figure 2, “Carrying solid firewood (firewood) for a firewood _ xcod scr” (“Transporting firewood for heating”) will look to inattentive users as a. Method # 1 : Email applications use the Unicode symbol right-to-left override, which changes the direction of character reading to hide the actual extension. This is likely to further increase the effectiveness of campaigns. In addition to the basic social engineering techniques (drawing attention to the attachment), the attackers use three technical methods. "Interviewing Don OVK Zbіlshennya lіmіtu" ("Supply Department Don OVK.“A new project will be ordered, an assignment of the interchange of willows” (“New draft order of verification of seizure”)."INSTITUTION of the organization of the defection of the military service of the Ukrainian Forces and members of the family" ("Order on ensuring the safety of the military of the Ukrainian army and their families").In most cases, the file names are written in Ukrainian and are related to the work of the victims. They use social engineering to convince victims to download and run malware. According to ESET telemetry, there are hundreds of victims in various organizations and several hundred executables related to this campaign.įigure 1 shows the main campaign events in chronological order.Īccording to our telemetry, attackers use e-mail as the primary distribution channel for the three RATs. Malicious software is used in attacks on Ukrainian government agencies. A possible explanation for the use of three parallel modifications is the fact that they were developed independently of each other. The tools were simultaneously used on the same targets, they partially share the infrastructure and connect to the same C & C servers. NET-Malvari: Quasar RAT (Remote Administration Tool), Sobaken (derived from RAT from Quasar) and custom RAT Vermin. The attackers use three modifications of. We managed to track her work until October 2015, but it is possible that the group started its activity much earlier. Nevertheless, she successfully uses social engineering to spread Malvari and covert work for a long time. It appears that this group does not have outstanding technical knowledge or access to zero-day vulnerabilities.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |