For the reason that outbreak of world cyber warfare, Ukrainian state businesses and their allies have change into targets of varied malicious campaigns launched by a number of hacker collectives. Menace actors incessantly reap the benefits of phishing assault vectors to conduct their adversarial campaigns, corresponding to within the December 2022 cyberattacks that distributed the DolphinCape and FateGrab/StealDeal malware.
On February 1, 2023, CERT-UA cybersecurity researchers issued a novel alert CERT-UA#5909, bringing to the eye of defenders a faux net web page that prompted focused customers to obtain software program disguised as virus detection utilities. Hackers use this fraudulent net web page, which masquerades as an official net useful resource of the Ukrainian Ministry of International Affairs, as a lure to unfold malware onto compromised programs. The hacker collective behind these assaults may embrace Russian-linked cybercriminals.
UAC-0114/Winter Vivern Exercise: Evaluation of the Final Marketing campaign Aimed toward State Organizations
On the heels of one other malicious marketing campaign by the infamous Russian-backed Sandworm APT group (also referred to as UAC-0082), Ukrainian state our bodies are as soon as once more underneath phishing assaults together with Republic of Poland authorities organizations.
The most recent alert CERT-UA#5909 particulars the continuing malicious marketing campaign concentrating on Ukrainian and Polish authorities organizations. On this cyberattack, hackers exploit a faux net web page posing because the official net useful resource of Ukrainian state businesses to lure victims into downloading malicious software program.
The an infection chain begins by following a decoy hyperlink to rogue virus detection software program, ensuing within the obtain of the malicious “Protector.bat” file. The latter launches a set of PowerShell scripts, one in every of which applies a recursive search algorithm to go looking the desktop catalog for recordsdata with particular extensions, together with .edb, .ems, .eme, .emz, .key, and many others. The most recent script can be able to capturing screens and filtering extra knowledge over HTTP. Adversaries additionally reap the benefits of a collection of malware persistence methods via scheduled duties, which poses a problem for assault detection.
Cooperation with CERT Polska and CSIRT MON enabled cyber defenders to find comparable phishing net sources posing as official net pages of Ukrainian and Polish authorities entities, together with the Ministry of International Affairs of Ukraine, the Safety Service of Ukraine ( SBU) and the Polish Police. Notably, in June 2022, an identical phishing webpage impersonated the person interface of the mail service of the Ministry of Protection of Ukraine.
The malicious exercise is being tracked as UAC-0114, attributed to the Winter Vivern hacker collective. Adversary TTPs exploited in these phishing campaigns are fairly widespread, together with the usage of PowerShell scripts and lure e mail topic line associated to malware scanning. It is usually very doubtless that the aforementioned hacking group includes Russian-speaking members, as one of many malware utilized, the APERETIF software program, features a line of code typical of Russian-affiliated adversary habits patterns.
Detection of malicious exercise of UAC-0114 coated in alert CERT-UA#5909
SOC Prime stays on the entrance strains serving to Ukraine and its allies proactively defend towards Russian-affiliated malicious exercise. SOC Prime’s Detection-as-Code platform curates a batch of Sigma guidelines to assist groups well timed establish the presence of malware associated to the current UAC-0114 group phishing marketing campaign coated within the devoted alert CERT-UA#5909. All detections are aligned with the MITER ATT&CK® framework v12 and are suitable with business main SIEM, EDR and XDR applied sciences.
Click on on the Discover detections button to entry a whole listing of Sigma guidelines to detect typical TTPs from the UAC-0114 group, which is behind the phishing assaults towards Ukraine and Poland. To optimize content material search, all detection algorithms are filtered utilizing the corresponding customized tags “CERT-UA#5909” and “UAC-0114” based mostly on the CERT-UA Group and Alert IDs. As well as, safety engineers can drill down into related cyber risk context, together with ATT&CK and CTI references, mitigations, and operational metadata, to facilitate their risk investigation.
To take full benefit of IOC-based risk searching and save seconds on advert hoc guide duties, safety engineers can immediately generate IOC queries related to ongoing UAC-0114 risk actor assaults via Uncoder CTI. Paste file, host, or community IOCs from the related CERT-UA#5909 alert, create customized IOC queries on the fly, and also you’re able to seek for associated threats in your chosen SIEM or XDR setting.
Context of MITER ATT&CK
For detailed context behind the most recent phishing marketing campaign by the UAC-0114 group, aka Winter Vivern, all of Sigma’s devoted guidelines are assigned to ATT&CK that tackle related techniques and methods:
UAC-0114 Group aka Winter Vivern Attack Detection: Hackers Launch Phishing Campaigns Targeting Government Entities of Ukraine and Poland