Pierluigi Paganini
June 04, 2019
The Gamaredon attacks against Ukraine don’t seem to have stopped. After a month since our last report we spotted a new suspicious email potentially linked to the Gamaredon group. The group was first discovered by Symantec and TrendMicro in 2015 but evidence of its activities has been dated back to 2013. During recent times, Gamaredon is targeting the Ukrainian military and law enforcement sectors too, as officially stated by the CERT-UA.
Cybaze-Yoroi ZLAB team dissected the artifact recovered from their latest attack to figure out evolution or changes in the threat actor TTPs.
The infection chain is composed by different stages of password protected SFX (self extracting archive), each containing vbs or batch scripts.
At the final stage of this malicious chain, we found a customized version of UltraVNC, a well known off-the-shelf tool for remote administration, modified by the Group and configured to connect to their command and control infrastructure. Despite its apparent triviality, the Matryoshka of SFX archives reached a low detection rate, making it effective.
| Hash | 5555a3292bc6b6e7cb61bc8748b21c475b560635d8b0cc9686b319736c1d828e |
| Threat | Gamaredon Pteranodon implant |
| Brief Description | SFX file |
| Ssdeep | 24576:PXwOrRsTyuURQFsVhIe74lpyevrM4vZxn6k1gQ Guo:PgwRAyuURQ2/1YpyeT7ok8 |
Table 1. Information about initial SFX file
The mail attachment is a RAR archive containing a folder named “suspected” in Ukrainan and a single suspicious file with “.scr” extension. At first glance, it is possible to notice the PowerPoint icon associated to the file, normally not belonging to .scr files.
The file has a very low detection rate on VirusTotal platform: only four AV engines are able to identify it as malicious and only on engine understands it may be associated to the Gamaredon implant.
After a quick analysis, the real nature of the .scr file emerges: it is a Self Extracting Archive containing all the files in Figure 4.
They are extracted into “%TEMP%\7ZipSfx.000\” and the first command to be executed is “15003.cmd”, which firstly checks for the presence of malware analysis tools. If it detects the presence of Wireshark or Procexp tools, it kill itself. Otherwise, it copies:
At the same time, the extracted document will be shown in order to divert the user attention and to continue the infection unnoticed. This document, written in Ukraine language, contains information about a criminal charge.
Instead, exploring the LNK file is possible to see it’s able to start the “winupd.exe” file, with a particular parameter: %USERPROFILE%\winupd.exe -puyjqystgblfhs. This behavior indicates the “winupd.exe” executable is another Self Extracting Archive, but this time it is password protected.
| Hash | fd59b1a991df0a9abf75470aad6e2fcd67c070bfccde9b4304301bc4992f678e |
| Threat | Gamaredon Pteranodon implant |
| Brief Description | SFX file |
| Ssdeep | 24576:bGKUQ8Lj7S6Jr1ye4SM4vzxn3k1jQ GujR:biJr1yeNxJkro |
Table 2. Information about second SFX file
When launched, it extracts its content in “%TEMP%\RarSFX0\”, then executes the “setup.vbs” script, which contains only two code lines. So, the execution flow moves on “1106.cmd”.
The source code of “1106.cmd” is full of junk instructions. However, in the end it performs a simple action: it writes a new VBS script in “%APPDATA%\Microsoft\SystemCertificates\My\Certificates\” . This script tries to download another malicious file from “http://bitvers.ddns[.net/{USERNAME}/{DATE}/index.html”. Performing many researches abot this server we noticed the continuously modification of associated records. Indeed, the attacker has changed many time the domain names in the latest period. Moreover, querying the services behind the latest associated DNS record the host responds with “403 Forbidden” message too, indicating the infrastructure may still be operative.
The scripts creates a new scheduled task in order to periodically execute (every 20 mins) the previous VBS script.
Also, it collects all the information about the victim’s system using the legit “systeminfo” Microsoft tool and sends them to the remote server through a POST request using the “MicrosoftCreate.exe” file, which actually is the legit “wget” utility. The response body will contain a new executable file, named “jasfix.exe”, representing the new stage.
| Hash | c479d82a010884a8fde0d9dcfdf92ba9b5f4125fac1d26a2e36549d8b6b4d205 |
| Threat | Gamaredon Pteranodon implant |
| Brief Description | SFX file |
| Ssdeep | 24576:Gfxwgmyg5EOJ+IIpBz2GAROm560XVEC1Ng MdfaQbhUfEIg+m:GJpgIdPzeRBJVEC1CMd |
Table 3. Information about third SFX file
After few researches, we were able to retrieve the “jasfix.exe” file, the next stage of the infection chain. After downloading it, we notice that it is another SFX archive other files.
The first file to be executed is “20387.cmd” that renames the “win.jpg” into “win.exe”, another password protected SFX.
| Hash | 28eff088a729874a611ca4781a45b070b46302e494bc0dd53cbaf598da9a6773 |
| Threat | Gamaredon Pteranodon implant |
| Brief Description | SFX file |
| Ssdeep | 24576:9GKUQ8vCTAaaJVssTk3OwO+vl+3yt6Xf IAR:9vaJes2Ocl7t9S |
Table 4. Information about fourth SFX file
This latest SFX archive follows the typical pattern of the Gamaredon archives Matryoshka, where the “.cmd” file is in designed to decrypt and run next stage. This time using the string “gblfhs” as password.
However, the file named “win32.sys” is particularly interesting: it actually is a PE32 executable file. Exploring the “.rsrc” section of the PE32 executable, we noticed different “.class” files. Two of them are named “VncCanvas” and “VncViewer”. These files are part of a legit Remote Administration Tool (RAT) named UltraVNC, available at this link.
The “win.exe” SFX archive contains other interesting files too: one of them is an “.ini” configuration file containing all the parameters and the password used by the UltraVNC tool.
Finally, the RAT tries to establish a connection to the “torrent-vnc[.ddns[.net” domain, headed to an endpoint reachable on 195.88.208.51, a VPS hosted by the Russian provider IPServer.
This recent attack campaign shows the Gamaredon operation are still ongoing and confirms the potential Russian interest about infiltrating the East European ecosystem, especially the Ukranian one. The techniques and the infection patterns the Group is using is extremely similar to the other attacks spotted in the past months of 2019, showing the Matryoshka structure to chain SFX archives, typical of their implant, but still effective and not easily detectable by several antivirus engines.
Also, digging into this infection chain, we noticed the come back of third party RATs as payload, a Gamaredon old habit that the usage of the custom-made Pterodo backdoor replaced few times ago.
Acknowledgement: special thanks to @JAMESWT_MHT for info and samples.
Technical details, including IoCs and Yara Rules, are available in the analysis published
https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/
[adrotate banner=”9″][adrotate banner=”12″]
(
[adrotate banner=”5″]
[adrotate banner=”13″]
