Geopolitical tensions often make headlines and present a golden opportunity for threat actors to exploit the situation, especially those targeting high-profile victims. In the past month while the Russian invasion of Ukraine was unfolding, Check Point Research (CPR) has observed advanced persistent threat (APT) groups around the world launching new campaigns, or quickly adapting ongoing ones to target victims with spear-phishing emails using the war as a lure. The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region. Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks. The use of the conflict as a bait is not limited to a specific region or APT group, it goes from Latin America to the Middle East and to Asia. In this article, CPR will provide an overview of several campaigns by different APT groups using the ongoing Russia-Ukraine war to increase the efficiency of their campaigns. CPR will discuss the victimology of these campaigns; the tactics used, and provide technical analysis of the observed malicious payloads and malware. Below are the campaigns identified and profiled in this article:
Israel, Saudi Arabia
Latin America: El Machete APT
Targets: Financial and governmental sectors
Kaspersky first publicly disclosed El Machete, a Spanish-speaking threat actor that focuses on Latin American’s targets, in 2014 with the group’s activity dating back to 2010. The group’s activities have persisted throughout the years, adopting the practice of using government-themed documents as decoys, as well as using lures related to the current political situation.
In mid-March, El Machete was spotted sending spear-phishing emails to financial organizations in Nicaragua, with an attached Word document titled “Dark plans of the neo-Nazi regime in Ukraine.” The document contained an article written and published by Alexander Khokholikov, the Russian Ambassador to Nicaragua that discussed the Russo-Ukrainian conflict from the perspective of the Kremlin.
Figure 1 – Lure document that contains an article about the Russia-Ukraine conflict, sent by El Machete APT to Nicaraguan financial institutions.
The malicious macro inside the document drops a base64-encoded file named ~djXsfwEFYETE.txt, uses the built-in certutil.exe to decode it to ~djXsfwEFYETE.vbe, an encoded VBScript file. The macro then launches the wscript.exe to execute the .vbe file, whose primary objective is to execute msiexec.exe with a remotely hosted .msi file titled Adobe.msi, which masquerades itself as Adobe software.
Figure 2 – Schema of the main components of the infection chain.
The Adobe.msi installer initially installs malware-related files to a subfolder in the user’s TEMP directory. Later, the malware copies itself from the TEMP directory to a working directory C:\ProgramData\PD, which is set as hidden to make sure users do not see it when they open the ProgramData folder in File Explorer. The malware is primarily written in Python, and comes with two different Python interpreters that also masquerade as executables related to Adobe, AdobeReaderUpdate.exe and ReaderSetting.exe. The malware sets up persistence via a scheduled task that runs every 5 minutes, pretending to be an update task for Adobe Reader named UpdateAdobeReader. The task executes the AdobeReaderUpdate script, a customized version of the open-source Loki.Rat which has been used by the El Machete APT group in an ongoing campaign since 2020.
The malware does not have a hardcoded C&C server address. Instead, it relies on a file called license.dll, which contains a Base64-encoded URL to a BlogSpot webpage. This page seemingly contains security-related content and discuses asymmetric encryption. However, embedded inside the BlogSpot page is another base64 string that contains the encoded C&C URL that the malware will eventually use. To find the relevant URL, the malware knows to search between two hardcoded strings that are 6-7 characters long. They tend to follow the pattern of /AAAA/ and *AAAA/, where the AAAA represents a 4-5-letter string.
Figure 3 – BlogSpot page used by Adobe.msi. The C&C server is encoded between /noul/ and *noul/.
This method of retrieving the C&C servers has several advantages. Foremost, it easily allows the attacker to make the initial connection look innocuous by connecting to a subdomain of a known and seemingly benign server (blogspot.com). In addition, the attackers can switch C&C infrastructure very easily without having to redeploy new code to the victims’ machines.
The data is submitted to the C&C server in a somewhat obfuscated but consistent JSON format:
The tag in the d4 field used by the Adobe malware is Utopiya_Nyusha_Maksim, which El Machete has used since 2020.
The Loki.Rat Backdoor
Each of the Python script files is obfuscated using base64 encoding. However, once decoded from base64, the code is relatively straightforward, only with few minor variable name obfuscation.
Figure 4 – Deobfuscated AdobeReaderUpdate script.
Malware capabilities include:
Keylogging – The keylogger runs as a separate process and script: the ReaderSetting.exe Python interpreter is used to run a separate file called SearchAdobeReader.
Collect credentials stored in Chrome and Firefox browsers.
Upload and download files.
Collect information about the files on each drive – collect file names and file sizes for all the files with the extensions from the list: .doc, .docx, .pdf, .xlsx, .xls, .ppt, .pptx, .jpg, .jpeg, .rar, .zip, .odt, .ott, .odm, .ods, .ots, .odp. except excluded (system, temp) folders.
Collect clipboard data.
Commands and payloads
The actors first send several commands to understand if the infected machine is interesting enough to proceed: these commands perform screenshots, keylogging, and listing files on the system. If deemed worthwhile, the actors execute a command to download and install another malware, JavaOracle.msi, via msiexec.exe.
Similar to Adobe.msi, JavaOracle.msi installs a Python-based malware and uses scheduled tasks for persistence. However, the Python scripts are not based on the Loki.Rat backdoor, although they offer some similar functionality through the modules placed in the directory Libs\site-packages\Java. The malware was observed launching multiple Python interpreters in parallel, each one running a different module. The Python executables are disguised as JavaHosts.exe, JavaExt.exe and JavaAdd.exe, and the actors also use these Python “clones” to check if a certain script/module is running, based on the process name. The modules include the following capabilities:
Download a payload from the C&C server (GAME module) – The code implies that the payload is expected to be either a .exe or a .msi file. The payload is written to the directory C:\ProgramData\ControlD\, which it sets as a folder with system and hidden attributes.
Keylogger (TIME module) – This is similar to the one that came with the Adobe.msi payload, but it never writes to disk. Instead, it posts the keylogger data directly to the C&C server.
BOX module – This iterates over files in the system and uploads files of interest that are less than 5 MB, encoded as base64. The module first checks connectivity by opening a TCP socket to google.es. If the site is not accessible, the script exits.
Screenshot (LIST module) – The module saves screenshots to -shopt.png inside a directory masquerading as Microsoft, namely %APPDATA%\Microsoft\ControlDesktop\. It then uploads the screenshot to the C&C server and proceeds to delete all PNG files in this directory. Similar to BOX, it initially checks that it can open a TCP socket to google.ru. If it fails, the script exits.
Clipboard stealer (SCAN module) – Posts the data directly to the C&C server, without writing the data to disk. Before doing so, it checks that it can open a TCP connection to google.ru.
The malware from the JavaOracle.msi file seems to be using a new hardcoded tag, Foo_Fighters_Everlong. The timing appears to be coincidental, as the payload was first seen a few days before the news that Foo Fighters drummer Taylor Hawkins died.
Figure 5 – JavaOracle code steals the clipboard contents and posts the data to the C&C with a custom tag.
Targets and goals
Although the specific email trap targeted a financial institution in Nicaragua, multiple artifacts suggest that this is part of a larger campaign, which is also targeting government entities in Venezuela. Judging by the activities that the actors perform in the infected networks, the purpose of the whole campaign is deemed a cyberespionage operation, consistent with the previously disclosed activity by the same attack group. This indicates that El Machete APT group continues to operate with slightly changing TTPs, even after researchers published technical descriptions and indicators of compromise for the malware used by the group.
Middle East: Lyceum
Targets: Energy sector
Believed to be active since 2017, Lyceum is an Iranian APT group active in the Middle East and Africa, and is known to target sectors of strategic national importance to carry out cyber espionage. Mid March, an Israeli energy company received an email from the address inews-reporter@protonmail[.]com with the subject “Russian war crimes in Ukraine”. The email contained a few pictures taken from public media sources and contained a link to an article hosted on the news-spot[.]live domain:
Figure 6 – Lure email utilizing the Russia-Ukraine conflict theme, sent by Lyceum group.
The link in the email leads to a document that contains the article “Researchers gather evidence of possible Russian war crimes in Ukraine” published by The Guardian:
Figure 7 – Lure document that contains The Guardian article on possible Russian war crimes in Ukraine.
The same domain hosts a few more malicious documents related to the Russia and Russia-Ukraine conflict, such as a copy of an article by The Atlantic Council from 2020 on Russian nuclear weapons, and a job posting for the “Extraction / Protective Agent” agent in Ukraine:
Figure 8 – Russia-Ukraine war-related decoy documents used by the Lyceum APT group.
The malicious Office document executes a macro code when the document is closed. The macro deobfuscates an executable embedded in the document and saves it to the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ directory. By using this method, the payload isn’t executed directly by the Office document, but it will run the next time the computer is restarted.
As part of the wider Lyceum campaign, we also observed different executable droppers. These are executables bearing PDF icons, not documents:
Figure 9 – Two variants of Lyceum infection chain: lures related to the RU-UA conflict (top) and to Iran (bottom).
All the executables are written slightly differently but the main idea is the same: first, the dropper extracts a lure PDF file embedded as a resource and opens it, in the background and unnoticed by a victim, the dropper then downloads and executes the payload. We identified three categories of droppers:
.NET DNS dropper – Used to drop the .NET DNS backdoor (discussed later):
Figure 10 – The .NET dropper opens the decoy PDF and downloads the payload.
.NET TCP Dropper – Drops the .NET HTTP backdoor variant, and adds a scheduled task to run it.
Golang Dropper – Drops the Golang backdoor to the Startup folder and the Public\Downloads folder. In addition, it drops a PDF file (a report about the Iranian cyber threat, similar to the other droppers) to the Public\Downloads folder and executes it. After the PDF report is opened, the dropper finally executes the Golang backdoor from Public\Downloads folder.
Figure 11 – Code snippet of the Golang dropper, which drops a Golang backdoor and a PDF report titled “Iranian Cyber Threat”.
The dropped files can be downloaded from the internet, or extracted from the dropper itself, depending on the sample.
Each dropper bring its own type of payload. We observed the following backdoors deployed:
.NET DNS Backdoor
The .NET DNS backdoor is a modified version of a tool called DnsDig, with code added to form frm1 that uses HeijdenDNS and DnsDig capabilities.
Figure 12 – Original DnsDig tool (left) vs Modified DnsDig (added frm1).
The backdoor uses DNS tunneling to communicate with its C&C server, and is able to download/upload files and execute commands.
.NET TCP Backdoor
The backdoor communicates with the C&C using raw TCP sockets, and it implements its own communication protocol on top of this. Each sample contains a configuration that defines how it should communicate with the C&C, including separator characters, TCP ports and mapping of command types to numbers:
Figure 13 – Configuration snippet of the .NET TCP backdoor.
Although the malware contains a configuration for the C&C communication, it still uses hardcoded values in the code itself, instead of the configuration constants. This indicates that the malware might still be under active development.
The capabilities of this backdoor include:
List installed applications.
Golang HTTP Backdoor
The execution of the HTTP backdoor, written in Golang, consists of 3 stages, that occur in a loop:
Stage 1 – Connectivity check. The malware generates a unique ID for the victim, based on the MD5 hash of the username. It then sends an empty HTTP POST request to the URI /GO/1.php of the C&C server. If the server responds with OK, the backdoor continues to the next stage.
Stage 2 – Victim registration. In this step, the malware sends basic details of the victim in a POST request to the URI /GO/2.php, to register the victim in the attacker’s C&C server.
Stage 3–Commands retrieval and execution. First, the malware sends HTTP POST requests to the URI /GO/3.php to get commands for execution. Like the other backdoors we described, the backdoor supports commands that allow it to download/upload files and execute shell commands.
Figure 14 – Network traffic of the Golang HTTP backdoor, per execution stage
Attribution and victimology
In addition to targets in the Israeli energy sector, when hunting for the files and infrastructure related to this attack, CPR observed some artifacts uploaded to VirusTotal (VT) from Saudi Arabia. Although these artifacts contain traps related to Iran, the other documents found on the relevant infrastructure suggest that the group might have used the baits related to the Russia-Ukraine war in Saudi Arabia as well, and probably in other countries in the region, which is the primary focus of the group’s activities.
As well as the clear victimology, other indicators that suggest this activity is from the Lyceum APT group include:
Use of Heijden.DNS open-source library, which was used by Lyceum in their previous attacks. This time, the actors did not obfuscate the library name but modified a tool named DnsDig that uses Heijden.DNS.
DNS tunneling technique in the C&C communication widely used in previous Lyceum campaigns.
Overlaps in the infrastructure, such as known Lyceum C&C servers hosted on the same ASN in the same networks with C&C from this campaign, and use of the same domain registrars such as Namecheap.
Use of Protonmail email addresses to send the malicious email to their targets or to register the domains.
Judging by the timestamps artifacts found and malicious domains registration, this specific campaign has been running for a few months. The adoption of more relevant lures and constant malware retooling suggests that the Lyceum group will continue to conduct and adjust their espionage operations in the Middle East, despite public disclosures.
South Asia: SideWinder
Targets: Entities in Pakistan
SideWinder is a suspected Indian APT group that strongly focuses on Pakistan and China government organizations. SideWinder’s malicious document, which also exploit the Russia-Ukraine conflict, was uploaded to VT in the middle of March. Judging by its content, the intended targets are Pakistani entities; the bait document contains the document of National Institute of Maritime Affairs of Bahria University in Islamabad, and is titled “Focused talk on Russian Ukraine Conflict Impact on Pakistan.”
Figure 15 – Decoy document related to Russia-Ukraine war, by Sidewinder APT.
However, it is worth mentioning that a typical SideWinder APT payload is a .NET-based infostealer, originally called “SystemApp.dll”, and is capable of gathering system information, exfiltrating files from the infected machine and executing commands. The infostealer has been used with minor modifications in the group’s espionage campaigns since early 2019.
CPR shared a few examples of APT groups attempting to abuse the interest in the ongoing war between Russia and Ukraine. As some of these campaigns contain previously undisclosed technical details or updated malware, CPR researchers included Yara rules in the Appendix, which can assist with threat hunting for these APT campaigns and the tools they utilize.
Although the attention of the public does not usually linger on a single issue for an extended period, the Russian-Ukrainian war is an obvious exception. This war affects multiple regions around the world and has potentially far-reaching ramifications. As a result, we can expect that APT threat actors will continue to use this crisis to conduct targeted phishing campaigns for espionage purposes.