Back

Report on Ukraine government attack campaign

Aug. 23, 2024, 9:02 a.m.

Tags

malware
powershell
data theft
ukraine
exfiltration
government
spectr
2024-08-23
firmachagent

External References

https://otx.alienvault.com/

Description

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat.

Date

Published Created Modified
Aug. 23, 2024, 8:56 a.m. Aug. 23, 2024, 8:56 a.m. Aug. 23, 2024, 9:02 a.m.

Indicators

f94b8d2391b53dfb96035a2ba628224c3bfedf77021c896b64a0d7c8f2121e17

f00c85d9db7a2a2bf248771b8d81d978fa6d2153e6a3095d9c5896b604e9d00d

eef9f73dc7e0cdd4b1780ecd20845496a91e0f1c096264208d991935c5e97308

ea1945d887cbe8a56234cec6da2c46ed7a28ae6a69fd49181b3d13a71943ffd9

d44ff1bd3c7ff81228548c82ea68c33bdea780772ce55dc4be2d4156985a326a

d16239cfbee14a8621637934aebe2d5253fea04940d2eb082bd8dcdc41111d4b

b95ef984bfb22c55881931b134deaf1b848fbfda4180fc393b9f532f51089cbb

ad30e29ba883c3f528d2782dbc3d1b5258815b619c6dfc3639fee416cf27fb1f

8d4808ed167ac91724e8ab4da24bcc3bd2159a4972c212a1cd4062f02a3731d0

8987952745a8d46a8f2e6d1666cc9c542b6a9a96787ef467c76b779a8b6c1a66

8612668466f9c8a180e0e9a3c92c85a03788f2f0bb3c6bf70f52c356e02702db

6a18392e3e062ce0fcd4688c0b09e482855cf709eb178437d8fe2cdc9cfdf51f

68fe595237eec1261184a5f3a00cc0f678a33751615796942001997575887557

3e6c13f9e4cee9b8d55d7a83fd3c3d5d6d09b6c477c4f84fd79db6cc8de7ea42

4d8918cfcc97ca63666937e5d53373793f3695a2b1177e27a78aa34303c2ee80

21c33c8365218b7fb1bbb0d45af77926877fb33384ef58fbbb6db04b9df55eb6

087158ad28080ef438047b88896dfa1962d1cd6fed8fce06e35c25f91ad5f1ff

180f9a2d3de0b5f031408797286837bb4b10b2a6d8797cf985347f5d80f9e4a0

91.225.219.185

171.22.120.50

http://ukraero.space/jobs/upload

http://ukraero.space/jobs/download

http://prozorro.online/info/docx/recon

http://prozorro.online/data/spysok_kursk.zip

http://171.22.120.50/data/chrome_updater.txt

http://171.22.120.50/data/USB.txt

http://171.22.120.50/data/Social.txt

http://171.22.120.50/data/Screen.txt

http://171.22.120.50/data/IDCLIPNET_x86.txt

http://171.22.120.50/data/Files.txt

http://171.22.120.50/data/Browser.txt

Attack Patterns

FIRMACHAGENT

SPECTR

Unknown

T1180

T1193

T1022

T1094

T1137

T1007

T1018

T1012

T1547

T1518

T1082

T1105

T1219

T1134

T1036

T1204

T1053

T1056

T1078

T1059

Additional Informations

Ukraine