NotPetya and WannaCry may have grabbed headlines over the last few months, but ESET points out in a recent report that the Ukraine has been under siege for months by a group dubbed TeleBots that has run a series of damaging attacks against that country.
TeleBots first popped onto the scene in December 2016 when ESET spotted the group hitting local Ukrainian financial institutions and critical infrastructure using a Linux version of the KillDisk malware. In these cases the attacks simply overwrote the infected files indicating these were a direct attack and not a ransomware scenario. However, in a second wave of attacks that month a ransom note was included requesting 222 bitcoins, or $250,000, which indicated to ESET that the ransom angle was not serious, but again a direct attack.
TeleBots not only continued to attack in 2017, but ushered in a new phase using a more sophisticated model, including adding two pieces of ransomware and updated versions of their earlier tools. These were used in attacks hitting a Ukrainian software company and then again when the group gained entry into several financial institutions using VPN tunnels.
Some of the tools used frequently in these attacks were the backdoors Python/TeleBot.A and another written in VBS script using the script2exe program. Other pieces of malware were the password stealer CredRaptor, credential swiper Plainpwd and SysInternals’ PSExec which allows ransomware to move laterally through a system.
What all these changes and additions add up to for TeleBot is the ability to increase the group’s attack capability. The evolution of tools and tactics have seen the group move away from needing phishing emails with malicious attachments to infect an organization to using supply-chain attacks. It has also allowed TeleBot to add to its target base by supplementing its historical financial institution list with other types of business.