Nation-state sponsored phishing campaign targeting Euro govt and refugee movement

-

A recent Proofpoint article highlighted activity they identified as likely a nation-state sponsored phishing campaign against European government entities and the refugee movement. Compromised Ukrainian military emails are/were being leveraged to distributed malicious macro attachments containing a Lua-based malware they dubbed SunSeed.

The activity follows reports from CERT-UA of increased phishing and disruptive operations targeting Ukrainian organizations by Russian-associated 'UNC1151', or TA445 per Proofpoint.

In this post, I have cited the original article but will summarize Proofpoint's findings and provide any additional context I may have.

Delivery

The original email detected by Proofpoint researchers was found on Feb. 24, 2022, inbound to a European government entity, and originated from ukr[.]net

Email Subject: "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022".

Malicious Attachment: "list of persons.xlsx" - Malicious macro-enabled XLSX file - SunSeed malware

Email Sender: The compromised sending email address was linked to a Ukrainian public procurement account for military unit A2622. Open-source research linked this account to the purchase of a Stihl lawn mower in 2016 where the email address was listed in the contact information.


The malware, once deployed, installs a series of Lua-based dependencies, executes a malicious script (SunSeed), and creates LNK files installed for autorun to establish their persistence. The initial MSI package is title qwerty_setup.msi. Additional technical details of the SunSeed installation can be found in Proofpoint's research paper. 

Some odd observations were discovered when running the MSI package like the actor's use of the Japanese Shift-JIS code base. While language codes are often used to attribute activity to certain regions of the world, it's also a fairly common false flag tactic used by more capable threat groups/APTs conducting espionage campaigns. Cryptography calls made by the MSI package also show that the files were created using an old version of WiX Toolset, an open-source tool that allows you to "build MSI's without requiring additional software on a build server" from the command line.

SunSeed Malware

The SunSeed print.lua second stage payload script is a simple downloader which appends the C Drive partition serial number of the host to a URL request via a Lua socket to consistently ping the C2 server for more Lua code. Once received, it executes this code immediately.

C2

The malware issues GET requests over port 80 HTTP using a Lua socket every three seconds. Appending the host C Drive partition serial number is likely an attempt by the threat actor to track infected victims on their backend. This may also allow operators to be more selective with who receives the next payload; another indicator of more advanced threat actors.



Victims

The victim list looks to include European government agencies, with targets appearing to be individuals with a range of expertise and professional responsibilities. Observations by the Proofpooint team indicate that there did seem to be a focus on personnel with responsibilities revolving around transportation, financial and budget allocation, administration, and population movement with Europe.

Iffy Attribution

Attribution to UNC1151/Ghostwriter is not yet 100% but researchers have found overlaps with previous campaigns attributed to the group. Victims, political sentiments, and other soft overlaps aid in attribution but are not concrete. See relationship chart below provided in Proofpoint's research paper:



Conclusion

Proofpoint provides indicators of compromise (IOCs) that analysts and researchers can use to strengthen their detections.

As the conflict in Ukraine continues, so should we expect these types of advanced campaigns targeting Ukraine and the supporting NATO countries. This information revolves around targeting European entities but is likely not limited to them and it should be expected that US government, defense contractors, and critical US sectors are also in Russian-linked APT crosshairs.


Click for > Proofpoint's original research paper

Comments

Post a Comment

Popular posts from this blog

-
Image
ESET's APT Activity Report Q4 2023-Q1 2024 summarizes observations of various advanced persistent threat (APT) groups documented by ESET researchers between October 2023 and March 2024. Their observations highlight the broader threat landscape investigated during this period of time and details trends, developments and tooling used by these threat actors. The public report proclaims to contain a fraction of what private ESET customers receive. China Chinese-aligned cyber espionage groups have traditionally targeted public facing applications for obtaining initial access on a target network. In many campaigns investigated by ESET and others, the groups leveraged one-day vulnerabilities against a range of appliances and software including VPNs, firewalls, Confluence, Exchange, and others. See ESETs report linked below for their detailed analysis on Chinese threat activity.  Middle East According to ESET's research, a potentially Iranian-aligned threat group BladedFeline continued...
Read more

Russian GRU Unit 29155 recent operations

-
Image
Background Russian GRU military intelligence Unit 29155 (aka Cadet Blizzard, Ember Bear, FrozenVista, UNC2589) is a covert subunit of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU), primarily tasked with conducting high-stakes and clandestine operations abroad. Established under the GRU, Unit 29155 gained public attention due to its involvement in activities that align with Russia's asymmetric warfare objectives, particularly in Europe, Ukraine, and NATO-affiliated regions. Unit 29155 operates in several domains, from traditional espionage and sabotage to cyber operations. Figure 1 WANTED: GRU Unit 29155 [1] Unit 29155 has significantly intensified operations since 2020, pivoting from covert actions in Europe toward a greater emphasis on cyber operations with a focus on undermining Ukraine and NATO allies through espionage, data manipulation, and sabotage. Primary TTPs Espionage and Data Theft Unit 29155 conducts extensive espionage ca...
Read more
-
Image
Microsoft recently released their findings after a lengthy investigation into activity conducted by the Russian state-sponsored APT28 group using a unique tool for privilege escalation and credential harvesting on victim networks. Microsoft refers to the custom tool as GooseEgg and claim that the group has been observed leveraging this tool since at least June 2020. GooseEgg The custom toolset leverages CVE-2023-38208 in the Windows Print Spooler service which changes a JavaScript constraints file and executes it with SYSTEM permissions. Based on their findings, Microsoft believes GooseEgg is deployed after initial access to elevate access to targeted systems with the end goal of harvesting credentials and data. Unsurprisingly, targeting includes Ukrainian, Western European and North American entities across several sectors including government, non-government, education and transportation. After initial access of victim device, researchers observed APT28 deploying GooseEgg to escalate...
Read more