[ad_1]
Beneath analysis is reflecting our observations throughout month of March 2022. We additionally want to thank Maria Jose Erquiaga for her contribution in introduction and assist in the course of the means of writing.
Overview
Because the Russian-Ukrainian conflict continues over standard warfare, cybersecurity professionals witnessed their area turning into an actual frontier. Menace actors selecting sides [1], group members turning in opposition to one another [2], some individuals handing out DDoS instruments [3], some individuals mixing in to show it into revenue [4], and lots of different tales, proving that this new frontier is altering every day, and its direct impression isn’t restricted to geographical boundaries.
Whereas assaults appear to be evolving every day, it’s difficult for one to remain updated with all that’s going round. Due to this fact, we imagine that you will need to distinguish between info and actionable intelligence. In Cisco International Menace Alerts, we want to share our observations associated to this battle throughout March of 2022 and uncover how we are able to flip them into actionable intelligence collectively.
Menace Actors within the Russian-Ukrainian Battle
Because the speedy escalation of the battle in 2022, safety researchers and analysts have been gathering info concerning the adversarial teams, malware, strategies, and sorts of assaults applied [1, 5, 6]. A few of the teams and malware associated to the battle are described in Desk 1:
| Menace Actor | Malware | Location |
| Gamaredon [7] | Pteranodon [8] | Crimea |
| Sandworm [9] | CyclopsBlink [10] | Russia |
| WizardSpider [11] | Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] | Russia |
Desk 1: Menace actors and their relations
Gamaredon
Gamaredon group, also referred to as Primitive Bear, Shuckworm and ACTINIUM, is a complicated persistent menace (APT) primarily based in Russia. Their actions might be traced again as early as 2013, previous to Russia’s annexation of the Crimean Peninsula. They’re identified to focus on state establishments of Ukraine and western authorities entities situated in Ukraine. Ukrainian officers attribute them to Russian Federal Safety Service, also referred to as FSB [17].
Gamaredon usually leverages malicious workplace recordsdata, distributed by means of spear phishing as the primary stage of their assaults. They’re identified to make use of a PowerShell beacon referred to as PowerPunch to obtain and execute malware for ensuing levels of assaults. Pterodo and QuietSieve are widespread malware households that they deploy for stealing info and varied actions on goal [18].
We have been capable of accumulate community IoC’s associated to Gamaredon infrastructure. Throughout our preliminary evaluation, many of the indicators weren’t attributed on to any particular malware and so they have been reasonably listed as a part of Gamaredon’s infrastructure. Due to this fact, we wished to research their infrastructure to know their arsenal and deployment in larger element.
Community Infrastructure
The primary a part of this analysis is targeted on WHOIS document evaluation. We noticed that Gamaredon domains have been dominantly registered by REG[.]RU. Creation dates are going again as early as February 2019 and have a altering sample for the registrant e mail. Till August 2020, we noticed that message-yandex.ru@mail[.]ru was the principle registrant e mail. Later, it shifted to macrobit@inbox[.]ru, blended with the occasional utilization of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Area creation dates in a number of the WHOIS data are as latest as March 2022.
Apart from WHOIS info, the domains we noticed that have been associated to Gamaredon campaigns had a distinguishing naming conference. Whereas dataset consisted of domains (with out TLDs) various between 4 to 16 characters, 70% % of them have been between 7 to 10 characters. Mixed with a restricted group of top-level domains (TLDs) used (see Desk 2), this leads us to a naming sample for additional attribution. Moreover, the utilization of TLDs on area creation appears to be rotating.
| TLD | Distribution | TLD Utilization |
| on-line | 42.07% | 08/2020-02/2021,02/2022 |
| xyz | 29.47% | 06/2022-08/2022, 02/2022-03/2022 |
| ru | 14.22% | 08/2020, 05/2021-02/2022 |
| website | 8.94% | 07/2020-02/2021 |
| house | 2.64% | 02/2019-06/2020 |
Desk 2: TLD distribution and time in use
Within the case of area resolutions, we aimed to research the distribution of autonomous system numbers (ASN) utilized by resolved IP addresses (see Desk 3). As soon as extra, the proprietor REG[.]RU is main the listing, proudly owning many of the domains. TimeWeb was the second this time, with 28% of the domains we discovered to be associated to Gamaredon actions. Domains having ‘. on-line’ and ‘.ru’ TLDs are commonly updating their IP resolutions, nearly every day.
| Proprietor | ASN | Widespread Networks | Distribution |
| REG.RU, Ltd | AS197695 | 194.67.71.0/24 194.67.112.0/24 194.58.100.0/24 194.58.112.0/24 194.58.92.0/24 89.108.81.0/24 |
45.93% |
| TimeWeb Ltd. | AS9123 | 185.104.114.0/24 188.225.77.0/24 188.225.82.0/24 94.228.120.0/24 94.228.123.0/24 |
28.25% |
| EuroByte LLC | AS210079 | 95.183.12.42/32 | 10.56% |
| AS-CHOOPA | AS20473 | 139.180.196.149/32 | 5.08% |
| LLC Baxet | AS51659 | 45.135.134.139/32 91.229.91.124/32 |
2.23% |
| System Service Ltd. | AS50448 | 109.95.211.0/24 | 1.82% |
Desk 3: Distribution of IP addresses per ASN and proprietor
Tooling
After understanding the infrastructure, let’s proceed with their arsenal. We checked out related file samples for the domains by means of Umbrella and Virustotal. A pattern of the outcomes might be seen under. Referring to a file sort, we are able to see that the Gamaredon group prefers malicious workplace paperwork with macros. Additionally, they’re identified to make use of Pterodo, which is a consistently evolving customized backdoor [8, 18].
| Area | Hash | Kind | Malware |
| acetica[.]on-line | 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 | Workplace Open XML Doc | Groooboor |
| arvensis[.]xyz | 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f | Workplace Open XML Doc | Groooboor |
| email-smtp[.]on-line | 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 | Workplace Open XML Doc | Groooboor |
| gurmou[.]website | f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b | Workplace Open XML Doc | Groooboor |
| mail-check[.]ru | 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 | Workplace Open XML Doc | Groooboor |
| office360-expert[.]on-line | 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 | Workplace Open XML Doc | Groooboor |
| achilleas[.]xyz | f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d | Workplace Open XML Doc | Macro enabled Phrase Trojan |
| anisoptera[.]on-line | 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad | MS Phrase Doc | Macro enabled Phrase Trojan |
| erythrocephala[.]on-line | 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 | Workplace Open XML Doc | Macro enabled Phrase Trojan |
| hamadryas[.]on-line | 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 | Workplace Open XML Doc | Macro enabled Phrase Trojan |
| intumescere[.]on-line | 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 | MS Phrase Doc | Macro enabled Phrase Trojan |
| limosa[.]on-line | 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f | MS Phrase Doc | Macro enabled Phrase Trojan |
| mesant[.]on-line | 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a | MS Phrase Doc | Macro enabled Phrase Trojan |
| sufflari[.]on-line | 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 | MS Phrase Doc | Macro enabled Phrase Trojan |
| apusa[.]xyz | 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 | Win32 DLL | Pterodo |
| atlanticos[.]website | f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 | VBA | Pterodo |
| barbatus[.]on-line | 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc | VBA | Pterodo |
| bitsadmin2[.]house | cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b | Win32 EXE | Pterodo |
| bitsadmin3[.]house | 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f | Win32 EXE | Pterodo |
| bonitol[.]on-line | 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf | VBA | Pterodo |
| buhse[.]xyz | aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 | Workplace Open XML Doc | Pterodo |
| calendas[.]ru | 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 | Win32 EXE | Pterodo |
| coagula[.]on-line | c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f | MS Phrase Doc | Pterodo |
| corolain[.]ru | 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 | Win32 EXE | Pterodo |
| gorigan[.]ru | 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 | Win32 EXE | Pterodo |
| gorimana[.]website | 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 | MS Phrase Doc | Pterodo |
| krashand[.]ru | 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a | Win32 EXE | Pterodo |
| libellus[.]ru | 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 | Win32 EXE | Pterodo |
| melitaeas[.]on-line | 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 | Workplace Open XML Doc | Pterodo |
| mullus[.]on-line | 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc | Win32 EXE | Pterodo |
| upload-dt[.]hopto[.]org | 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 | MS Phrase Doc | Pterodo |
Desk 4: Domains, recordsdata (hash and sort), and malware title related to the Gamaredon group
After reviewing the behaviors of the related malicious samples, it’s simpler to construct attribution between the malicious area and the corresponding pattern. IP addresses resolved by the area are later used to ascertain uncooked IP command and management (C2) communication with a distinguishing URL sample. The next instance reveals how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and makes use of its IP deal with to construct a C2 URL (http|https<IP>/<random alphanumerical string>). Due to this fact, DNS and outgoing internet site visitors is essential for its detection.


Detecting Gamaredon Exercise with International Menace AlertsÂ
In Cisco International Menace Alerts, we’re monitoring the Gamaredon group beneath the Gamaredon Exercise menace object. The menace description is enriched with MITRE references (see Determine 3).

Determine 4 reveals a detection pattern of Gamaredon exercise. Observe that the contaminated gadget tried to speak with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which appeared to be sinkholed to the OpenDNS IP deal with of 146.112.61.[.]107.

Conclusion
We’ve walked by means of the steps of manufacturing intelligence from info we’ve collected. We started our evaluation with an unattributed listing of community IoC’s and have been capable of establish distinctive patterns of their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware households. Subsequent, we confirmed how we turned it right into a detection of the Gamaredon group displayed within the Cisco International Menace Alerts portal.
To your comfort, right here’s a abstract of the intelligence we developed on this weblog publish:
| Aliases | Primitive Bear, Shuckworm, ACTINIUM |
| Kind | Menace Actor |
| Originating From | Russia |
| Targets | Ukranian State Organizations |
| Malware used | Pterodo, Groooboor |
| File Kind | Macro enabled workplace recordsdata, Win32 Exe, VBA |
| TLD’s used | .on-line, .xyz, .ru, .website, .house |
| ASN’s used | REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd. |
Â
References
[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff
[2] Conti ransomware’s inside chats leaked after siding with Russia: https://www.bleepingcomputer.com/information/safety/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/
[3] Hackers sound name to arms with digital weapon geared toward Russian web sites: https://cybernews.com/information/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/
[4] Menace advisory: Cybercriminals compromise customers with malware disguised as pro-Ukraine cyber instruments: https://weblog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
[5] Ukraine-Cyber-Operations:Â https://github.com/curated-intel/Ukraine-Cyber-Operations
[6]Â What You Have to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/
[7]Â Gamaredon: https://assault.mitre.org/teams/G0047/
[8] Pteranodon: https://assault.mitre.org/software program/S0147/
[9]Â Sandworm: https://assault.mitre.org/teams/G0034/
[10]Â Menace Advisory: Cyclops Blink: https://weblog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html
[11] Wizard Spider:Â https://assault.mitre.org/teams/G0102/
[12]Â Cobalt Strike: https://assault.mitre.org/software program/S0154
[13] Emotet: https://assault.mitre.org/software program/S0367
[14]Â Conti: https://assault.mitre.org/software program/S0575
[15] Ryuk: https://assault.mitre.org/software program/S0446
[16] TrickBot: https://assault.mitre.org/software program/S0446
[17] Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/recordsdata/DKIB/Technicalpercent20reportpercent20Armagedon.pdf
[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/safety/weblog/2022/02/04/actinium-targets-ukrainian-organizations/
We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Related with Cisco Safe on social!
Cisco Safe Social Channels
Share:
[ad_2]
