SecuriTricks - Attack Report

Description

EclecticIQ analysts have identified a cyber espionage campaign by Sandworm (APT44) targeting Ukrainian Windows users. The group is leveraging pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of the BACKORDER loader, which ultimately deploys Dark Crystal RAT (DcRAT). This enables data exfiltration and espionage activities. The campaign, likely ongoing since late 2023, exploits Ukraine's high software piracy rates, potentially compromising home users, businesses, and government networks. Multiple distribution campaigns have been observed, using similar lures and tactics. The attackers employ sophisticated techniques, including disabling Windows Defender, using Living Off the Land Binaries, and establishing persistence through scheduled tasks. The operation aligns with Russia's broader hybrid warfare strategy against Ukraine.

External References

https://blog.eclecticiq.com/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns

https://otx.alienvault.com/pulse/67abea2482c0fcb78318fb06

Date

Created: Feb. 12, 2025, 12:24 a.m.
Published: Feb. 12, 2025, 12:24 a.m.
Modified: Feb. 12, 2025, 9:07 a.m.

Indicators

fdc3f0516e1558cc4c9105ac23716f39a6708b8facada3a48609073a16a63c83
ed5735449a245355706fc58f4b744251f6e499833f02a972f9bd448c28467194
d13f0641fd98df4edcf839f0d498b6b6b29fbb8f0134a6dae3d9eb577d771589
cd7c36a2f4797b9ca6e87ab44cb6c8b4da496cff29ed5bf727f0699917bae69a
b545c5ee0498637737d4edff4b0cc672fe097a1ecfba1a08bb4d07e8affe79d3
afc6131b17138a6132685617aa60293a40f2462dc3a810a4cf745977498e0255
aadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb8d06902fdde83
a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412
a00beaa5228a153810b65151785596bebe2f09f77851c92989f620e37c60c935
8a4df53283a363c4dd67e2bda7a430af2766a59f8a2faf341da98987fe8d7cbd
70cad07a082780caa130290fcbb1fd049d207777b587db6a5ee9ecf15659419f
70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8
553f7f32c40626cbddd6435994aff8fc46862ef2ed8f705f2ad92f76e8a3af12
4b9e32327067a84d356acb8494dc05851dbf06ade961789a982a5505b9e061e3
4b0038de82868c7196969e91a4f7e94d0fa2b5efa7a905463afc01bfca4b8221
48450c0a00b9d1ecce930eadbac27c3c80db73360bc099d3098c08567a59cdd3
1a1ffcbab9bff4a033a26e8b9a08039955ac14ac5ce1f8fb22ff481109d781a7
0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6
039c8dd066efa3dd7ac653689bfa07b2089ce4d8473c907547231c6dd2b136ec

https://btdig.com/172d3750e3617526563dd0b24c4ba88f907622b9
https://activationsmicrosoft.com/activationsmicrosoft.php
http://onedrivepack.com/pipe_RequestPollUpdateProcessAuthwordpress.php
http://kmsupdate2023.com/kms2023.zip
http://btdig.com/172d3750e3617526563dd0b24c4ba88f907622b9

windowsupdatesystem.org
ratiborus2023.com
onedrivestandaloneupdater.com
onedrivepack.com
main.show
kmsupdate2023.com
kms-win11-update.net
kalambur.net
akamaitechcdns.com
activationsmicrosoft.com
2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid.onion

Download all indicators here!

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

Description

External References

Tags

Date

Indicators

Attack Patterns

Additional Informations

Sandworm APT Targets Ukrainian Users with Trojanized Microsoft KMS Activation Tools in Cyber Espionage Campaigns

Description

External References

Tags

Date

Indicators

Attack Patterns

Additional Informations

Share