![](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/c\/cyberattacks-are-prominent-in-the-russia-ukraine-conflict\/Main-Ukraine-Russia-conflic.jpg\")
<\/p>\n<\/p>\n
<\/div>\nThe Conti intrusion set, which Trend Micro tracks under the moniker Water Goblin, has remained active despite other well-established ransomware groups shutting down in the wake of government sanctions. We also observed a spike in the volume of activity for the BazarLoader malware \u2014 a key enabler for Conti attacks \u2014 since early February 2022. <\/p>\n
Conti chat logs leaked <\/span><\/p>\n Meanwhile, external sources have reported on the chats of Conti operators being leaked by a Ukrainian security researcher who had access to the back end of Conti’s XMPP chat server. Trend Micro Research extracted the logs and found some artifacts that can be used to map some indicators of compromise (IOCs), which we list in a later section of this blog. <\/p>\n The messages, which included ransom negotiations and Bitcoin addresses, can be used by security companies and law enforcement to identify the attack techniques and tools used by the Conti gang. <\/p>\n Conti\u2019s onion site (contirec7nchr45rx6ympez5rjldibnqzh7lsa56lvjvaeywhvoj3wad.onion) is also currently active. Based on this, we identified some recent Conti files as Ransom.Win32.CONTI.SMYXBLD. <\/p>\n Stormous gang supports Russia<\/span><\/p>\n We are seeing some encouraging malicious deeds against both Ukrainians and Russians, but some groups do choose to stand behind only one. The Stormous ransomware gang, known for website defacement and information theft, represents itself as a group of Arabic-speaking hackers. The group has been active since 2021, and recently it officially announced its support for the Russian government and its intention to target Ukrainian government institutions<\/a> such as the Ukrainian foreign ministry.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Upon analyzing a sample of the malware from the group, we found that after infiltration, the malware enables the actor to access and deploy different custom payloads to the affected server via remote upload and open-source resources like Pastebin. Its capabilities, which include dropping malware, encryption, and sending a ransom note, can be hard to identify since the actor can modify encryption and decryption keys, as well as copy ransom messages in the wild. Additionally, since the actor\u2019s backdoor or ransomware is PHP-based, it can be modified on the fly with minimal effort.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Other notable findings <\/span><\/p>\n In addition, the Emotet botnets (Epochs 4 and 5) have remained highly active since Emotet\u2019s resurgence in November 2021, with a few sporadic periods of inactivity. Both families continue to actively drop Cobalt Strike beacons. <\/p>\n Both BazarLoader and Emotet continue to drop Cobalt Strike beacons as part of their second stage infections. With respect to Conti, we are tracking the regular deployment of new command-and-control (C&C) infrastructure for Cobalt Strike command beacons. It\u2019s worth noting that we have not yet observed a Conti attack following an Emotet infection since November 2021. <\/p>\n We also have a snapshot of malicious activity showing how some actors may be trying to capitalize on the crisis. We compared our January and February data and saw that malicious URLs and emails trying to lure users with the subject of \u201cUkraine\u201d increased steeply in the latter part of February.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Ukraine-related spam emails <\/span><\/p>\n We are seeing new scams and variants of older threats appear daily. Using our honeypot, we also found Ukraine-related spam emails that aim to take advantage of the situation via donations and other scams. These spam emails also drop the Ave Maria malware. We provide IOCs in the relevant section of this blog.<\/p>\n We provide some examples here via the following screenshots:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Trend Micro continues to actively find and detect these threats before they can inflict damage on our customers.<\/p>\n Analyzing reports from CERT-UA<\/span><\/p>\n Reports from outside Trend Micro have provided valuable insights into the alleged cyberattacks. In particular, the Computer Emergency Response Team of Ukraine or CERT-UA<\/a> released important details on the attacks launched against Ukrainian targets. Our own threat researchers have also analyzed and investigated the latest information. Below is a timeline of significant attacks recorded by CERT-UA. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n Hostile activities in cyberspace are likely to increase as tension increases. Cyberattacks aimed at Ukraine might also inadvertently extend to other countries and unsuspecting targets might experience ricochets of attacks, similar to stray bullets<\/a>. Therefore, it is important for everyone \u2014 regardless of geographical location \u2014 to be aware of incidents occurring in Ukraine. <\/p>\n The following sections provide both an analysis and an evaluation, conducted by Trend Micro, of three cyberattacks reported by CERT-UA.<\/p>\n Cyberattack using WhisperGate<\/span><\/p>\n CERT-UA reported<\/a> that between January 13 and 14, 2022, approximately 70 Ukraine government agency websites were attacked, resulting in the modification of website content and system corruption. Supply chain attacks, OctoberCMS (a self-hosted content management system used by enterprises), and the Log4j vulnerability<\/a> are suspected to be the points of entry.<\/p>\n Some of these attacks involved system corruption by malware. The diagram in Figure 8 illustrates the infection chain of the malware observed in the attack. We list the malware names as identified by CERT-UA here.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n WhisperKill is designed to destroy and rename files in connected drives that match the file extensions shown in Figure 9. It then terminates and removes itself. WhisperKill enumerates drives A to Z and destroys files on drives that are either Type 3 (DRIVE_FIXED) or 4 (DRIVE_REMOTE), as shown in Figure 10.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n On February 24, there were also reports<\/a> of another more sophisticated wiper malware with the ability to destroy the MBR and files in drives. The malware is called HermeticWiper (also known as FoxBlade).<\/p>\n Cyberattacks using SaintBot <\/span><\/p>\n In January 2022, there were reports<\/a> of a series of cyberattacks that started from spear-phishing emails disguised as messages from the National Healthcare Service of Ukraine. The emails were attached with a document and two shortcut files, where one shortcut file downloads and executes the OutSteel malware using PowerShell. The OutSteel malware then downloads and executes the SaintBot malware. In February 2022, spear-phishing emails aiming to distribute the SaintBot malware disguised as messages from the Ukraine Police were also reported<\/a>. <\/p>\n The SaintBot malware is designed to be inactive when the Language Code Identifier (LCID) of the infected device is Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova (as seen in Figure 11). The intent behind this is unclear, and the inclusion of Ukraine might be a mistake considering that the spear-phishing emails are clearly targeting Ukraine.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n This malware sample attempts to bypass user account control (UAC) by exploiting Fodhelper, which is introduced from the Windows 10 platform. By executing Fodhelper and adding a registry entry (shown in Figure 12), SaintBot is able to execute its own copy in a startup folder with administrative privilege.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n Upon callback, SaintBot collects information from the infected computers, then encrypts and encodes the data with XOR and BASE64. The data is attached to a prefix and sent to the C&C server with a POST request.<\/p>\n This malware sample holds the following C&C servers:<\/p>\n Cyberattack conducted by Gamaredon<\/span><\/p>\n Gamaredon is a threat actor said to be active since 2013. In March 2020, attacks were observed in Japan and were considered stray bullets. In November 2021, the Security Service of Ukraine made a public announcement<\/a> that attributed Gamaredon to the Federal Security Service of the Russian Federation (FSB). The Security Service of Ukraine also published<\/a> details of attack methodologies and a wiretap voice. Trend Micro observed similar attack methodologies. <\/p>\n Attacks start from spear-phishing emails with document files that cause a Remote Template Injection. In a cyberattack observed<\/a> on the February 1, 2022, a document template was downloaded that included an obfuscated malicious macro. The macro stealthily opens a document (~~AddFromString) where the \u201cVZ01\u201d function is executed (Application.Run “VZ01”) then closes it. This is illustrated in Figure 13. <\/p>\n This method, where a malicious macro is inserted into another document, was observed in a past incident said to be conducted by Gamaredon.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n The decoded and inserted macro drops VBScript at %APPDATA%:define (ADS), and then a scheduled task to execute the script is registered. This script downloads and executes an additional payload from the C&C server, similar to other attacks observed. The callback contains an infected PC ID in User Agent, which is disguised to be a Yandex browser.<\/p>\n The following is the URL where the additional payload is requested:<\/p>\n If the response content size is over 16,965 bytes, the downloaded content is stored as \u201c%USERPROFILE%\\Downloads\\demand.exe.tmp\u201d and is executed after being renamed as \u201c%USERPROFILE%\\Downloads\\demand.exe\u201d. <\/p>\n For specific mitigation measures against the cyberattacks listed previously, see our post here<\/a>.<\/p>\n Security recommendations and best practices <\/span><\/p>\n Malicious activity continues to spread, and actors are using new tools and tricks to lure victims. In this section, we discuss mitigation measures to help prepare for a broad range of attacks:<\/p>\n For more guidance on how to manage cyber risks, please see our earlier blog post here<\/a>. <\/p>\n Conclusion<\/span><\/p>\n In these tense circumstances, information is sent from conflicting viewpoints. Additionally, even if the same facts are reported correctly, impressions delivered might vary due to a difference in perspectives. <\/p>\n It is also worth noting that the issuance of false information is always a possibility \u2014 whether or not this is done intentionally. As a result of such information, unnecessary confusion and further division might ensue. The following are some measures that our researchers take in order to understand information as correctly as possible:<\/p>\n For a full list of IOCs, please download this document<\/a>.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n\n\n\n\n\n\n\n\n\n\n\n\n\n
\n\n\n\n\n\n\n
\n\n\n
\n
<\/span><\/li>\n\n
<\/span><\/li>\n