Researchers believe hackers from the breakaway Luhansk People's Republic (LPR) may be behind a spear phishing-based malware campaign that's been actively targeting the Ukrainian government.
The researchers, from FireEye, disclosed their assessment following their investigation into a malware-laced email that they were able to tie back to a 2018 phishing campaign designed to to deliver custom cyber espionage malware called RATVERMIN, aka Vermin. But based on an analysis of malware compilation times and domain resolutions, the group behind these attacks may have been active since as far back as 2014.
Though not officially recognized as its own state, the LPR declared independence from Ukraine in the aftermath of the 2014 Ukrainian revolution, and remains in conflict with Kiev.
In a blog post published today, FireEye reports that the offending email, sent on Jan. 22, impersonated the UK-based defense manufacturer Armtrac. The supposed sender, who identifies himself as executive manager Alex Gallil, references potential business opportunities related to demining activities, ammunition recycling, a border surveillance system and more.
The email included an 7-Zip attachment with three files: two innocuous Armtrac documents and a malicious LNK file impersonating a PDF document. The malicious file executes a PowerShell script that downloads a second-stage payload.
Although the researchers were unable to identify the payload, they were able to link the campaign to past activity. For starters, the C2 domain that was used to store the downloaded payload was registered using an email associated with 21 other domains that appear to be impersonate legitimate Ukrainian websites such as news portals and political and business sites. Moreover, a 22nd domain was linked to the official website for LPR's Ministry of State Security.
FireEye researchers also connected the email to a similar campaign in 2018, which used EXE and RAR files to deliver malware such as the open-source QUASARRAT (aka Quasar) as well as RATVERMIN. The latter, which is used exclusively by one threat group, is a Microsoft .NET-based custom program that's composed of largely original code.
In a Jan. 29, 2018 blog post, Palo Alto Networks' Unit 42 threat research group noted that RATVERMIN was being used against Ukrainian targets, and was capable of such functionality as keylogging; capturing screen images and audio; and manipulating, deleting and downloading files.
"This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian Government suggests a cyber espionage motivation. This is supported by the ties to the so-called LPR's security service," states the FireEye blog post, jointly written by researchers John Hultquist, Ben Read, Oleg Bondarenko and Chi-en Shen. "While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors. While this specific group is primarily a threat to Ukraine, nascent threats to Ukraine have previously become international concerns and bear monitoring."
