Login
In 2021, the exclusive Russian cybercrime forum Mazafaka was hacked. The leaked user database shows one of the forum’s founders was an attorney who advised Russia’s top hackers on the legal risks of their work, and what to do if they got caught. A review of this user’s hacker identities shows that during his time on the forums he served as an officer in the special forces of the GRU, the foreign military intelligence agency of the Russian Federation.
Launched in 2001 under the tagline “Network terrorism,” Mazafaka would evolve into one of the most guarded Russian-language cybercrime communities. The forum’s member roster included a Who’s Who of top Russian cybercriminals, and it featured sub-forums for a wide range of cybercrime specialities, including malware, spam, coding and identity theft.
One representation of the leaked Mazafaka database.
In almost any database leak, the first accounts listed are usually the administrators and early core members. But the Mazafaka user information posted online was not a database file per se, and it was clearly edited, redacted and restructured by whoever released it. As a result, it can be difficult to tell which members are the earliest users.
The original Mazafaka is known to have been launched by a hacker using the nickname “Stalker.” However, the lowest numbered (non-admin) user ID in the Mazafaka database belongs to another individual who used the handle “Djamix,” and the email address djamix@mazafaka[.]ru.
From the forum’s inception until around 2008, Djamix was one of its most active and eloquent contributors. Djamix told forum members he was a lawyer, and nearly all of his posts included legal analyses of various public cases involving hackers arrested and charged with cybercrimes in Russia and abroad.
“Hiding with purely technical parameters will not help in a serious matter,” Djamix advised Maza members in September 2007. “In order to ESCAPE the law, you need to KNOW the law. This is the most important thing. Technical capabilities cannot overcome intelligence and cunning.”
Stalker himself credited Djamix with keeping Mazafaka online for so many years. In a retrospective post published to Livejournal in 2014 titled, “Mazafaka, from conception to the present day,” Stalker said Djamix had become a core member of the community.
“This guy is everywhere,” Stalker said of Djamix. “There’s not a thing on [Mazafaka] that he doesn’t take part in. For me, he is a stimulus-irritant and thanks to him, Maza is still alive. Our rallying force!”
Djamix told other forum denizens he was a licensed attorney who could be hired for remote or in-person consultations, and his posts on Mazafaka and other Russian boards show several hackers facing legal jeopardy likely took him up on this offer.
“I have the right to represent your interests in court,” Djamix said on the Russian-language cybercrime forum Verified in Jan. 2011. “Remotely (in the form of constant support and consultations), or in person – this is discussed separately. As well as the cost of my services.”
A search on djamix@mazafaka[.]ru at DomainTools.com reveals this address has been used to register at least 10 domain names since 2008. Those include several websites about life in and around Sochi, Russia, the site of the 2014 Winter Olympics, as well as a nearby coastal town called Adler. All of those sites say they were registered to an Aleksei Safronov from Sochi who also lists Adler as a hometown.
The breach tracking service Constella Intelligence finds that the phone number associated with those domains — +7.9676442212 — is tied to a Facebook account for an Aleksei Valerievich Safronov from Sochi. Mr. Safronov’s Facebook profile, which was last updated in October 2022, says his ICQ instant messenger number is 53765. This is the same ICQ number assigned to Djamix in the Mazafaka user database.
The Facebook account for Aleksey Safronov.
A “Djamix” account on the forum privetsochi[.]ru (“Hello Sochi”) says this user was born Oct. 2, 1970, and that his website is uposter[.]ru. This Russian language news site’s tagline is, “We Create Communication,” and it focuses heavily on news about Sochi, Adler, Russia and the war in Ukraine, with a strong pro-Kremlin bent.
Safronov’s Facebook profile also gives his Skype username as “Djamixadler,” and it includes dozens of photos of him dressed in military fatigues along with a regiment of soldiers deploying in fairly remote areas of Russia. Some of those photos date back to 2008.
In several of the images, we can see a patch on the arm of Safronov’s jacket that bears the logo of the Spetsnaz GRU, a special forces unit of the Russian military. According to a 2020 report from the Congressional Research Service, the GRU operates both as an intelligence agency — collecting human, cyber, and signals intelligence — and as a military organization responsible for battlefield reconnaissance and the operation of Russia’s Spetsnaz military commando units.
Mr. Safronov posted this image of himself on Facebook in 2016. The insignia of the GRU can be seen on his sleeve.
“In recent years, reports have linked the GRU to some of Russia’s most aggressive and public intelligence operations,” the CRS report explains. “Reportedly, the GRU played a key role in Russia’s occupation of Ukraine’s Crimea region and invasion of eastern Ukraine, the attempted assassination of former Russian intelligence officer Sergei Skripal in the United Kingdom, interference in the 2016 U.S. presidential elections, disinformation and propaganda operations, and some of the world’s most damaging cyberattacks.”
According to the Russia-focused investigative news outlet Meduza, in 2014 the Russian Defense Ministry created its “information-operation troops” for action in “cyber-confrontations with potential adversaries.”
“Later, sources in the Defense Ministry explained that these new troops were meant to ‘disrupt the potential adversary’s information networks,'” Meduza reported in 2018. “Recruiters reportedly went looking for ‘hackers who have had problems with the law.'”
Mr. Safronov did not respond to multiple requests for comment. A 2018 treatise written by Aleksei Valerievich Safronov titled “One Hundred Years of GRU Military Intelligence” explains the significance of the bat in the seal of the GRU.
“One way or another, the bat is an emblem that unites all active and retired intelligence officers; it is a symbol of unity and exclusivity,” Safronov wrote. “And, in general, it doesn’t matter who we’re talking about – a secret GRU agent somewhere in the army or a sniper in any of the special forces brigades. They all did and are doing one very important and responsible thing.”
It’s unclear what role Mr. Safronov plays or played in the GRU, but it seems likely the military intelligence agency would have exploited his considerable technical skills, knowledge and connections on the Russian cybercrime forums.
Searching on Safronov’s domain uposter[.]ru in Constella Intelligence reveals that this domain was used in 2022 to register an account at a popular Spanish-language discussion forum dedicated to helping applicants prepare for a career in the Guardia Civil, one of Spain’s two national police forces. Pivoting on that Russian IP in Constella shows three other accounts were created at the same Spanish user forum around the same date.
Mark Rasch is a former cybercrime prosecutor for the U.S. Department of Justice who now serves as chief legal officer for the New York cybersecurity firm Unit 221B. Rasch said there has always been a close relationship between the GRU and the Russian hacker community, noting that in the early 2000s the GRU was soliciting hackers with the skills necessary to hack US banks in order to procure funds to help finance Russia’s war in Chechnya.
“The guy is heavily hooked into the Russian cyber community, and that’s useful for intelligence services,” Rasch said. “He could have been infiltrating the community to monitor it for the GRU. Or he could just be a guy wearing a military uniform.”
A story of how an analysis of a supposed game cheat turned into the discovery of a powerful UEFI threat
The post ESET Research Podcast: Finding the mythical BlackLotus bootkit appeared first on WeLiveSecurity
A view of the H1 2023 threat landscape as seen by ESET telemetry and from the perspective of ESET threat detection and research experts
The post ESET Threat Report H1 2023 appeared first on WeLiveSecurity
A brief summary of what happened with Emotet since its comeback in November 2021
The post What’s up with Emotet? appeared first on WeLiveSecurity
ESET researchers analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files
The post Android GravityRAT goes after WhatsApp backups appeared first on WeLiveSecurity
A curious case of a threat actor at the border between crimeware and cyberespionage
The post Asylum Ambuscade: crimeware or cyberespionage? appeared first on WeLiveSecurity
ESET researchers reveal details about a prevalent cryptor, operating as a cryptor-as-a-service used by tens of malware families
The post Shedding light on AceCryptor and its operation appeared first on WeLiveSecurity
ESET researchers discover AhRat – a new Android RAT based on AhMyth – that exfiltrates files and records audio
The post Android app breaking bad: From legitimate screen recording to file exfiltration within a year appeared first on WeLiveSecurity
ESET Research uncovers a campaign by the APT group known as Evasive Panda targeting an international NGO in China with malware delivered through updates of popular Chinese software
The post Evasive Panda APT group delivers malware via updates for popular Chinese software appeared first on WeLiveSecurity
Similarities with newly discovered Linux malware used in Operation DreamJob corroborate the theory that the infamous North Korea-aligned group is behind the 3CX supply-chain attack
The post Linux malware strengthens links between Lazarus and the 3CX supply‑chain attack appeared first on WeLiveSecurity
When decommissioning their old hardware, many companies 'throw the baby out with the bathwater'
The post Discarded, not destroyed: Old routers reveal corporate secrets appeared first on WeLiveSecurity
ESET experts share their insights on the cyber-elements of the first year of the war in Ukraine and how a growing number of destructive malware variants tried to rip through critical Ukrainian systems
The post ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine appeared first on WeLiveSecurity
ESET researchers analyzed Android and Windows clippers that can tamper with instant messages and use OCR to steal cryptocurrency funds
The post Not‑so‑private messaging: Trojanized WhatsApp and Telegram apps go after cryptocurrency wallets appeared first on WeLiveSecurity
ESET Research uncovered a campaign by APT group Tick against a data-loss prevention company in East Asia and found a previously unreported tool used by the group
The post The slow Tick‑ing time bomb: Tick APT group compromise of a DLP software developer in East Asia appeared first on WeLiveSecurity
ESET researchers analyze a cyberespionage campaign that distributes CapraRAT backdoors through trojanized and supposedly secure Android messaging apps – but also exfiltrates sensitive information
The post Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials appeared first on WeLiveSecurity
ESET researchers tease apart MQsTTang, a new backdoor used by Mustang Panda, which communicates via the MQTT protocol
The post MQsTTang: Mustang Panda’s latest backdoor treads new ground with Qt and MQTT appeared first on WeLiveSecurity
The first in-the-wild UEFI bootkit bypassing UEFI Secure Boot on fully updated UEFI systems is now a reality
The post BlackLotus UEFI bootkit: Myth confirmed appeared first on WeLiveSecurity
And that’s just the tip of the iceberg when it comes to the trends that defined the cyberthreat landscape in the final four months of 2022.
The post ESET Research Podcast: Ransomware trashed data, Android threats soared in T3 2022 appeared first on WeLiveSecurity
The targeted region, and overlap in behavior and code, suggest the tool is used by the infamous North Korea-aligned APT group
The post WinorDLL64: A backdoor from the vast Lazarus arsenal? appeared first on WeLiveSecurity
ESET researchers have identified a campaign using trojanized installers to deliver the FatalRAT malware, distributed via malicious websites linked in ads that appear in Google search results
The post These aren’t the apps you’re looking for: fake installers targeting Southeast and East Asia appeared first on WeLiveSecurity
ESET Research announces IPyIDA 2.0, a Python plugin integrating IPython and Jupyter Notebook into IDA
The post Introducing IPyIDA: A Python plugin for your reverse‑engineering toolkit appeared first on WeLiveSecurity
ESET researchers identified an active StrongPity campaign distributing a trojanized version of the Android Telegram app, presented as the Shagle app – a video-chat service that has no app version
The post StrongPity espionage campaign targeting Android users appeared first on WeLiveSecurity
ESET researchers discovered a spearphishing campaign targeting Japanese political entities a few weeks before the House of Councillors elections, and in the process uncovered a previously undescribed MirrorFace credential stealer
The post Unmasking MirrorFace: Operation LiberalFace targeting Japanese political entities appeared first on WeLiveSecurity
ESET researchers analyzed a supply-chain attack abusing an Israeli software developer to deploy Fantasy, Agrius’s new wiper, with victims including the diamond industry
The post Fantasy – a new Agrius wiper deployed through a supply‑chain attack appeared first on WeLiveSecurity
ESET researchers uncover Dolphin, a sophisticated backdoor extending the arsenal of the ScarCruft APT group
The post Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin appeared first on WeLiveSecurity
Malicious apps used in this active campaign exfiltrate contacts, SMS messages, recorded phone calls, and even chat messages from apps such as Signal, Viber, and Telegram
The post Bahamut cybermercenary group targets Android users with fake VPN apps appeared first on WeLiveSecurity
APT-C-50’s Domestic Kitten campaign continues, targeting Iranian citizens with a new version of the FurBall malware masquerading as an Android translation app
The post Domestic Kitten campaign spying on Iranian citizens with new FurBall malware appeared first on WeLiveSecurity
ESET researchers analyzed previously undocumented custom backdoors and cyberespionage tools deployed in Israel by the POLONIUM APT group
The post POLONIUM targets Israel with Creepy malware appeared first on WeLiveSecurity
ESET researchers have discovered Lazarus attacks against targets in the Netherlands and Belgium that use spearphishing emails connected to fake job offers
The post Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium appeared first on WeLiveSecurity
ESET researchers have uncovered another tool in the already extensive arsenal of the SparklingGoblin APT group: a Linux variant of the SideWalk backdoor
The post You never walk alone: The SideWalk backdoor gets a Linux variant appeared first on WeLiveSecurity
Misconfigured remote access services continue to give bad actors an easy access path to company networks – here’s how you can minimize your exposure to attacks misusing Remote Desktop Protocol
The post RDP on the radar: An up‑close view of evolving remote access threats appeared first on WeLiveSecurity
Focused mostly on Asia, this new cyberespionage group uses undocumented tools, including steganographically extracting PowerShell payloads from PNG files
The post Worok: The big picture appeared first on WeLiveSecurity
Listen to Cameron Camp, Juraj Jánošík, and Filip Mazán discuss the use of machine learning in cybersecurity, followed by Cameron’s insights into the security of medical devices
The post ESET Research Podcast: Hot security topics at RSA or mostly hype? appeared first on WeLiveSecurity
Previously unknown macOS malware uses cloud storage as its C&C channel and to exfiltrate documents, keystrokes, and screen captures from compromised Macs
The post I see what you did there: A look at the CloudMensis macOS spyware appeared first on WeLiveSecurity
The U.S. Department of Justice (DOJ) recently revised its policy on charging violations of the Computer Fraud and Abuse Act (CFAA), a 1986 law that remains the primary statute by which federal prosecutors pursue cybercrime cases. The new guidelines state that prosecutors should avoid charging security researchers who operate in “good faith” when finding and reporting vulnerabilities. But legal experts continue to advise researchers to proceed with caution, noting the new guidelines can’t be used as a defense in court, nor are they any kind of shield against civil prosecution.
In a statement about the changes, Deputy Attorney General Lisa O. Monaco said the DOJ “has never been interested in prosecuting good-faith computer security research as a crime,” and that the new guidelines “promote cybersecurity by providing clarity for good-faith security researchers who root out vulnerabilities for the common good.”
What constitutes “good faith security research?” The DOJ’s new policy (PDF) borrows language from a Library of Congress rulemaking (PDF) on the Digital Millennium Copyright Act (DMCA), a similarly controversial law that criminalizes production and dissemination of technologies or services designed to circumvent measures that control access to copyrighted works. According to the government, good faith security research means:
“…accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”
“Security research not conducted in good faith — for example, for the purpose of discovering security holes in devices, machines, or services in order to extort the owners of such devices, machines, or services — might be called ‘research,’ but is not in good faith.”
The new DOJ policy comes in response to a Supreme Court ruling last year in Van Buren v. United States (PDF), a case involving a former police sergeant in Florida who was convicted of CFAA violations after a friend paid him to use police resources to look up information on a private citizen.
But in an opinion authored by Justice Amy Coney Barrett, the Supreme Court held that the CFAA does not apply to a person who obtains electronic information that they are otherwise authorized to access and then misuses that information.
Orin Kerr, a law professor at University of California, Berkeley, said the DOJ’s updated policy was expected given the Supreme Court ruling in the Van Buren case. Kerr noted that while the new policy says one measure of “good faith” involves researchers taking steps to prevent harm to third parties, what exactly those steps might constitute is another matter.
“The DOJ is making clear they’re not going to prosecute good faith security researchers, but be really careful before you rely on that,” Kerr said. “First, because you could still get sued [civilly, by the party to whom the vulnerability is being reported], but also the line as to what is legitimate security research and what isn’t is still murky.”
Kerr said the new policy also gives CFAA defendants no additional cause for action.
“A lawyer for the defendant can make the pitch that something is good faith security research, but it’s not enforceable,” Kerr said. “Meaning, if the DOJ does bring a CFAA charge, the defendant can’t move to dismiss it on the grounds that it’s good faith security research.”
Kerr added that he can’t think of a CFAA case where this policy would have made a substantive difference.
“I don’t think the DOJ is giving up much, but there’s a lot of hacking that could be covered under good faith security research that they’re saying they won’t prosecute, and it will be interesting to see what happens there,” he said.
The new policy also clarifies other types of potential CFAA violations that are not to be charged. Most of these include violations of a technology provider’s terms of service, and here the DOJ says “violating an access restriction contained in a term of service are not themselves sufficient to warrant federal criminal charges.” Some examples include:
-Embellishing an online dating profile contrary to the terms of service of the dating website;
-Creating fictional accounts on hiring, housing, or rental websites;
-Using a pseudonym on a social networking site that prohibits them;
-Checking sports scores or paying bills at work.
Kerr’s warning about the dangers that security researchers face from civil prosecution is well-founded. KrebsOnSecurity regularly hears from security researchers seeking advice on how to handle reporting a security vulnerability or data exposure. In most of these cases, the researcher isn’t worried that the government is going to come after them: It’s that they’re going to get sued by the company responsible for the security vulnerability or data leak.
Often these conversations center around the researcher’s desire to weigh the rewards of gaining recognition for their discoveries with the risk of being targeted with costly civil lawsuits. And almost just as often, the source of the researcher’s unease is that they recognize they might have taken their discovery just a tad too far.
Here’s a common example: A researcher finds a vulnerability in a website that allows them to individually retrieve every customer record in a database. But instead of simply polling a few records that could be used as a proof-of-concept and shared with the vulnerable website, the researcher decides to download every single file on the server.
Not infrequently, there is also concern because at some point the researcher suspected that their automated activities might have actually caused stability or uptime issues with certain services they were testing. Here, the researcher is usually concerned about approaching the vulnerable website or vendor because they worry their activities may already have been identified internally as some sort of external cyberattack.
What do I take away from these conversations? Some of the most trusted and feared security researchers in the industry today gained that esteem not by constantly taking things to extremes and skirting the law, but rather by publicly exercising restraint in the use of their powers and knowledge — and by being effective at communicating their findings in a way that maximizes the help and minimizes the potential harm.
If you believe you’ve discovered a security vulnerability or data exposure, try to consider first how you might defend your actions to the vulnerable website or vendor before embarking on any automated or semi-automated activity that the organization might reasonably misconstrue as a cyberattack. In other words, try as best you can to minimize the potential harm to the vulnerable site or vendor in question, and don’t go further than you need to prove your point.
Listen to Aryeh Goretsky, Martin Smolár, and Jean-Ian Boutin discuss what UEFI threats are capable of and what the ESPecter bootkit tells us about their evolution
The post ESET Research Podcast: UEFI in crosshairs of ESPecter bootkit appeared first on WeLiveSecurity
ESET researchers spot an updated version of the malware loader used in the Industroyer2 and CaddyWiper attacks
The post Sandworm uses a new version of ArguePatch to attack targets in Ukraine appeared first on WeLiveSecurity
Below research is reflecting our observations during month of March 2022. We also would like to thank Maria Jose Erquiaga for her contribution in introduction and support during the process of writing.
As the Russian-Ukrainian war continues over conventional warfare, cybersecurity professionals witnessed their domain turning into a real frontier. Threat actors picking sides [1], group members turning against each other [2], some people handing out DDoS tools [3], some people blending in to turn it into profit [4], and many other stories, proving that this new frontier is changing daily, and its direct impact is not limited to geographical boundaries.
While attacks seem to be evolving daily, it is challenging for one to stay up to date with all that is going around. Therefore, we believe that it is important to distinguish between information and actionable intelligence. In Cisco Global Threat Alerts, we would like to share our observations related to this conflict during March of 2022 and discover how we can turn them into actionable intelligence together.
Since the rapid escalation of the conflict in 2022, security researchers and analysts have been gathering information regarding the adversarial groups, malware, techniques, and types of attacks implemented [1, 5, 6]. Some of the groups and malware related to the conflict are described in Table 1:
| Threat Actor | Malware | Location |
| Gamaredon [7] | Pteranodon [8] | Crimea |
| Sandworm [9] | CyclopsBlink [10] | Russia |
| WizardSpider [11] | Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] | Russia |
Table 1: Threat actors and their relations
Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an advanced persistent threat (APT) based in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula. They are known to target state institutions of Ukraine and western government entities located in Ukraine. Ukrainian officials attribute them to Russian Federal Security Service, also known as FSB [17].
Gamaredon often leverages malicious office files, distributed through spear phishing as the first stage of their attacks. They are known to use a PowerShell beacon called PowerPunch to download and execute malware for ensuing stages of attacks. Pterodo and QuietSieve are popular malware families that they deploy for stealing information and various actions on objective [18].
We were able to collect network IoC’s related to Gamaredon infrastructure. During our initial analysis, most of the indicators were not attributed directly to any specific malware and they were rather listed as part of Gamaredon’s infrastructure. Therefore, we wanted to analyze their infrastructure to understand their arsenal and deployment in greater detail.
The first part of this research is focused on WHOIS record analysis. We observed that Gamaredon domains were dominantly registered by REG[.]RU. Creation dates are going back as early as February 2019 and have a changing pattern for the registrant email. Until August 2020, we observed that message-yandex.ru@mail[.]ru was the main registrant email. Later, it shifted to macrobit@inbox[.]ru, mixed with the occasional usage of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Domain creation dates in some of the WHOIS records are as recent as March 2022.
Other than WHOIS information, the domains we observed that were related to Gamaredon campaigns had a distinguishing naming convention. While dataset consisted of domain names (without TLDs) varying between 4 to 16 characters, 70% percent of them were between 7 to 10 characters. Combined with a limited group of top-level domains (TLDs) used (see Table 2), this leads us to a naming pattern for further attribution. Additionally, the usage of TLDs on domain creation seems to be rotating.
| TLD | Distribution | TLD Usage |
| online | 42.07% | 08/2020-02/2021,02/2022 |
| xyz | 29.47% | 06/2022-08/2022, 02/2022-03/2022 |
| ru | 14.22% | 08/2020, 05/2021-02/2022 |
| site | 8.94% | 07/2020-02/2021 |
| space | 2.64% | 02/2019-06/2020 |
Table 2: TLD distribution and time in use
In the case of domain resolutions, we aimed to analyze the distribution of autonomous system numbers (ASN) used by resolved IP addresses (see Table 3). Once more, the owner REG[.]RU is leading the list, owning most of the domains. TimeWeb was the second this time, with 28% of the domains we found to be related to Gamaredon activities. Domains having ‘. online’ and ‘.ru’ TLDs are regularly updating their IP resolutions, almost daily.
| Owner | ASN | Popular Networks | Distribution |
| REG.RU, Ltd | AS197695 | 194.67.71.0/24 194.67.112.0/24 194.58.100.0/24 194.58.112.0/24 194.58.92.0/24 89.108.81.0/24 |
45.93% |
| TimeWeb Ltd. | AS9123 | 185.104.114.0/24 188.225.77.0/24 188.225.82.0/24 94.228.120.0/24 94.228.123.0/24 |
28.25% |
| EuroByte LLC | AS210079 | 95.183.12.42/32 | 10.56% |
| AS-CHOOPA | AS20473 | 139.180.196.149/32 | 5.08% |
| LLC Baxet | AS51659 | 45.135.134.139/32 91.229.91.124/32 |
2.23% |
| System Service Ltd. | AS50448 | 109.95.211.0/24 | 1.82% |
Table 3: Distribution of IP addresses per ASN and owner
After understanding the infrastructure, let’s proceed with their arsenal. We looked at associated file samples for the domains through Umbrella and Virustotal. A sample of the results can be seen below. Referring to a file type, we can see that the Gamaredon group prefers malicious office documents with macros. Also, they are known to use Pterodo, which is a constantly evolving custom backdoor [8, 18].
| Domain | Hash | Type | Malware |
| acetica[.]online | 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 | Office Open XML Document | Groooboor |
| arvensis[.]xyz | 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f | Office Open XML Document | Groooboor |
| email-smtp[.]online | 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 | Office Open XML Document | Groooboor |
| gurmou[.]site | f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b | Office Open XML Document | Groooboor |
| mail-check[.]ru | 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 | Office Open XML Document | Groooboor |
| office360-expert[.]online | 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 | Office Open XML Document | Groooboor |
| achilleas[.]xyz | f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d | Office Open XML Document | Macro enabled Word Trojan |
| anisoptera[.]online | 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad | MS Word Document | Macro enabled Word Trojan |
| erythrocephala[.]online | 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 | Office Open XML Document | Macro enabled Word Trojan |
| hamadryas[.]online | 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 | Office Open XML Document | Macro enabled Word Trojan |
| intumescere[.]online | 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 | MS Word Document | Macro enabled Word Trojan |
| limosa[.]online | 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f | MS Word Document | Macro enabled Word Trojan |
| mesant[.]online | 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a | MS Word Document | Macro enabled Word Trojan |
| sufflari[.]online | 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 | MS Word Document | Macro enabled Word Trojan |
| apusa[.]xyz | 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 | Win32 DLL | Pterodo |
| atlanticos[.]site | f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 | VBA | Pterodo |
| barbatus[.]online | 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc | VBA | Pterodo |
| bitsadmin2[.]space | cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b | Win32 EXE | Pterodo |
| bitsadmin3[.]space | 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f | Win32 EXE | Pterodo |
| bonitol[.]online | 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf | VBA | Pterodo |
| buhse[.]xyz | aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 | Office Open XML Document | Pterodo |
| calendas[.]ru | 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 | Win32 EXE | Pterodo |
| coagula[.]online | c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f | MS Word Document | Pterodo |
| corolain[.]ru | 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 | Win32 EXE | Pterodo |
| gorigan[.]ru | 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 | Win32 EXE | Pterodo |
| gorimana[.]site | 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 | MS Word Document | Pterodo |
| krashand[.]ru | 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a | Win32 EXE | Pterodo |
| libellus[.]ru | 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 | Win32 EXE | Pterodo |
| melitaeas[.]online | 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 | Office Open XML Document | Pterodo |
| mullus[.]online | 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc | Win32 EXE | Pterodo |
| upload-dt[.]hopto[.]org | 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 | MS Word Document | Pterodo |
Table 4: Domains, files (hash and type), and malware name associated to the Gamaredon group
After reviewing the behaviors of the associated malicious samples, it is easier to build attribution between the malicious domain and the corresponding sample. IP addresses resolved by the domain are later used to establish raw IP command and control (C2) communication with a distinguishing URL pattern. The following example shows how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and uses its IP address to build a C2 URL (http|https<IP>/<random alphanumerical string>). Therefore, DNS and outgoing web traffic is crucial for its detection.
In Cisco Global Threat Alerts, we are tracking the Gamaredon group under the Gamaredon Activity threat object. The threat description is enriched with MITRE references (see Figure 3).
Figure 4 shows a detection sample of Gamaredon activity. Observe that the infected device attempted to communicate with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which seemed to be sinkholed to the OpenDNS IP address of 146.112.61.[.]107.
We’ve walked through the steps of producing intelligence from information we’ve collected. We began our analysis with an unattributed list of network IoC’s and were able to identify unique patterns in their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware families. Next, we showed how we turned it into a detection of the Gamaredon group displayed in the Cisco Global Threat Alerts portal.
For your convenience, here’s a summary of the intelligence we developed in this blog post:
| Aliases | Primitive Bear, Shuckworm, ACTINIUM |
| Type | Threat Actor |
| Originating From | Russia |
| Targets | Ukranian State Organizations |
| Malware used | Pterodo, Groooboor |
| File Type | Macro enabled office files, Win32 Exe, VBA |
| TLD’s used | .online, .xyz, .ru, .site, .space |
| ASN’s used | REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd. |
[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff
[2] Conti ransomware’s internal chats leaked after siding with Russia: https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/
[3] Hackers sound call to arms with digital weapon aimed at Russian websites: https://cybernews.com/news/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/
[4] Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html
[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations
[6] What You Need to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/
[7] Gamaredon: https://attack.mitre.org/groups/G0047/
[8] Pteranodon: https://attack.mitre.org/software/S0147/
[9] Sandworm: https://attack.mitre.org/groups/G0034/
[10] Threat Advisory: Cyclops Blink: https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html
[11] Wizard Spider: https://attack.mitre.org/groups/G0102/
[12] Cobalt Strike: https://attack.mitre.org/software/S0154
[13] Emotet: https://attack.mitre.org/software/S0367
[14] Conti: https://attack.mitre.org/software/S0575
[15] Ryuk: https://attack.mitre.org/software/S0446
[16] TrickBot: https://attack.mitre.org/software/S0446
[17] Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf
[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
ESET researchers reveal a detailed profile of TA410: we believe this cyberespionage umbrella group consists of three different teams using different toolsets, including a new version of the FlowCloud espionage backdoor discovered by ESET.
The post A lookback under the TA410 umbrella: Its cyberespionage TTPs and activity appeared first on WeLiveSecurity
FreshRSS 