### Cyber Reports # BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine **TELSY S.p.A.** Corso Svizzera, 185 - 10149 Torino – ITALIA Via del Pellegrino 155 - 00186 Roma - ITALIA 16/02/2022 tel +39.011.771.4343 - fax +39.011.741.9090 email: telsy@telsy.it ----- ### INDEX **1** **Introduction .................................................................................................................................... 3** **2** **Analysis ........................................................................................................................................... 4** **2.1** **Double BabaDeda crypter downloaded from LNK or docm template ................ 6** **2.1.1** **First Stage ........................................................................................................................................ 8** **2.1.2** **WhisperGate Code OVERLAP .................................................................................................. 19** **2.2** **BABADEDA Crypter Dropped from a new Downloader ......................................... 22** **2.3** **LorecCPL downloads ASPProtected Outsteel ............................................................ 27** **3** **Indicators of Compromise ........................................................................................................ 33** **4** **ATT&CK Matrix ............................................................................................................................ 34** 2 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- ## 1 Introduction Beginning in January 2022, there was a series of attacks on numerous organizations in Ukraine spanning the government, the military, non-governmental organizations (NGOs), with the primary intent of exfiltrating sensitive information and maintaining access. Based on these new details and **_Telsy's threat hunt, we uncovered several links that_** strongly support the idea that these attacks were part of a larger campaign that has been running for a few months and has undergone several evolutions. In this way we have mapped the various clusters and in particular three chains of infection, composed of a series of techniques and procedures, with several significant elements that we consider important to better understand the various phases implemented. One of the most used access vectors in these campaigns are spear-phishing emails with malicious attachments. Phishing attachments contain a first-stage payload that downloads and executes additional payloads. The main payload provided by the malware is an infostealer written in AutoIt compiled (OutSteel). Its main goal is to steal files from the victim's machine by uploading them to a default Command and control (C2) server. The element detected in these latter chains is the downloader used to load the infostealer “Outsteel”. In the past this was loaded by the **SaintBot tool while in these campaigns, it is** loaded by the **BabaDeda** crypter. Based on victimology and the fact that this attack attempts to steal files from government entities, it is assumed to be a state-sponsored group. Some evidence suggests that these activities are carried out by a hacker group called “Lorec53” as namede by the security firm **_“NSFocus”. The group is suspected of being_** employed by other high-level espionage organisations to conduct espionage attacks, targeting government employees in Georgia and Ukraine. This group uses the infostealer "Outsteel" and the downloader "LorecCPL", both of which have overlapping code with the same artefacts identified in the campaigns analysed in this report. We can therefore assume that the BabaDeda crypter is also one of the tools in use by this group. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 3 ----- _entities graph_ ## 2 Analysis Telsy detected several infection chains starting with different initial stages: document template, LNK file or a CPL file representing a new type of downloader very similar to a shellcode in the way the stack is used. The second phase uses the BabaDeda crypter to run the infostealer called OutSteel. _BabaDeda Crypter_ is an evasive malware that acts like an installer and executes a shellcode stored encrypted in a file usually, xml or pdf, dropped by the installer self. The main binary of _BabaDeda Crypter_ it’s a malicious binary, _compiled with text segment_ _writable, that has only the purpose to load the 1[st] malicious library._ The first malicious DLL side loaded decrypt the shellcode storing it in the text section of the main binary and loads/execute the secondary malicious library in another thread then return to the decrypted shellcode. _entities graph_ 4 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- The decrypted shellcode represents the real payload embedded in the installer by the threat actor while the 2[nd] malicious library can embed every kind of malware. In the samples that we found the 2[nd] library is used sometime as downloader and in other cases as thread to achieve persistence, it depends by the stage. _execution process graph_ Below a kind of time line that describes how the tools were employed in the time, most likely, by the same threat actor. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 5 ----- #### 2.1 Double BabaDeda crypter downloaded from LNK or docm template This infection chain, which can be placed in the period September / October 2021 according to the compilation times, starts with a link (LNK) or a WORD template document that downloads the BabaDeda crypter. The BabaDeda crypter includes Outsteel as a payload and a downloader as 2[nd] library. _execution process graph_ The **lnk file with hash** _931a86f402fee99ae1358bb0b76d055b2d04518f, most likely_ distributed by e-mail, named “Особливі **_документи_** **_СБУ.lnk” (Special documents of the_** **_SBU.lnk) is, clearly, a decoy document for Ukrainian defense officers. This lnk file was_** contained in zip archives hosted on discord. When open it executes a PowerShell command to download and execute the first phase from the URL: “hxxp: //3237.site/test01.exe” The downloaded executable with hash _0d584d72fe321332df0b0a17720191ad96737f47 is_ stored in the public directory and it is executed from the PowerShell self. 6 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- Instead the document with hash ac672a07c62d48c0a7f98554038913770efaef11 is a word **dotm model and starts the first phase of the infection in the same way as the lnk file,** downloading and executing the same artifact through PowerShell: _hxxp://3237.site/test01.exe._ The following document header suggests that this document may have been used after September 2021. _“Addition to the decision of the National Security and Defense Council of Ukraine of_ _September 7, 2021 "On Amendments to Personal Special Economic and Other Restrictive_ _Measures (Sanctions)”_ The template contains a macro that on the open event drops a cmd file with a PowerShell command inside. The cmd file is stored in “C:\Users\Public\Documents\programtwo.cmd” and contains the PowerShell command to download the artifact from URL “hxxp: //3237.site/test01.exe” and save it in “C:\Users\Public\Documents\manlevel.exe”. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 7 ----- As in the previous LNK document the PowerShell command runs the downloaded file. Also, the WORD template has been hosted on discord and is most likely downloaded as a remote template from a docx released by email. **2.1.1** **First Stage** Both files, lnk and WORD template, downloads the same installer has been created with _Inno Setup._ Once executed, it extracts all the components in the path: “C:\Users\admin\AppData\Roaming\mXParser”. The main executable, named “mathparser.exe” whose hash is _26474ba449682e82ca38fef32836dcb23ee24012, is executed directly by the installer after_ all the components have been extracted. This installation is a BabaDeda crypter, i.e. a type of loader. In fact, as described in the blog of the security company "Morphisec”, it is used to evasively load a malicious payload stored in another file. Since the analysis cited by the blog is exhaustive, it was not performed. This loader was reported in November 2021 in connection with attacks against the NFT and **_Crypto community. Instead, it was used in these campaigns, leading to the_** 8 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- assumption that it could be code reuse or the action of the same cybercriminal group in favour of a state-sponsored threat actor. Basically, the BabaDeda crypter phases are: 1. Main Binary load and run a malicious DLL; 2. The malicious DLL load and execute in another thread the second malicious DLL; 3. The first malicious DLL read and parse the shellcode and write it in the text section of the main binary; 4. The first malicious DLL returns to the shellcode entry point; 5. The decryption shellcode has three main tasks: first, it extracts the loader shellcode and the payload, then it decrypts them, and finally, it transfers the execution to the decrypted loader shellcode. 6. Finally, the payload is executed. Since the second loaded DLL and the final payload can be customised, BabaDeda crypter can be used to load any type of installation, in fact in this particular infection chain the first installer is intended to download and run another BabaDeda crypter. This differs from the analysis carried out by the company Morphisec in November 2021 in which the samples analysed were only used to directly upload malicious artefacts. The “mathparser” installation directory contains the following malicious files: **NAME** **SHA1** **PURPOSE** mathparser.exe 26474ba449682e82ca38fef32836dcb23ee24012 Main malicious Binary JxCnv40.dll 7d44391b76368b8331c4f468f8ddbaf6ee5a6793 1[st] Loaded DLL libics4.0.dll e1d92e085df142d703ed9fd9c65ed92562a759fa 2[nd] Loaded DLL manual.pdf 8423b25054aa78535c49042295558f33d34deae1 Shellcode Container So, the main binary before loading the library named “JxCnv40.dll” set the current directory to the right path to be sure that side loading technique works. |NAME|SHA1|PURPOSE| |---|---|---| |mathparser.exe|26474ba449682e82ca38fef32836dcb23ee24012|Main malicious Binary| |JxCnv40.dll|7d44391b76368b8331c4f468f8ddbaf6ee5a6793|1st Loaded DLL| |libics4.0.dll|e1d92e085df142d703ed9fd9c65ed92562a759fa|2nd Loaded DLL| |manual.pdf|8423b25054aa78535c49042295558f33d34deae1|Shellcode Container| Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 9 ----- This library, whit hash 7d44391b76368b8331c4f468f8ddbaf6ee5a6793, run in a thread the second malicious library. 10 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- Basically, the first library open “manual.pdf” reads all the content, then starts a new thread and after copy the 0x226 bytes from the file content into the main binary text section. The main binary is compiled with text section writable, so it does not need any virtual protect API. The shellcode taken from the file is located at a specified offset and it has a fixed size, this means that the BabaDeda crypter is not so ductile, indeed the binary is strictly linked to the shellcode and the file that contains the shellcode. This makes harder to re-use it without having the BabaDeda crypter build tools. A threat actor could use it changing the offsets manually to load another shellcode of different length from another file. Below the routine that loads the second library: Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 11 ----- Meanwhile the second library is executed in another thread, the final payload is decrypted and executed in the main binary thread. The payload named _Outsteel sends the_ documents to be exfiltrated to the URL “hxxp://185.244.41.109:8080/upld/”. This IP was disclosed as an IoC by the Ukrainian CERT in February 2022, although the same has been in use since at least October 2021. The final payload was decompiled with AutoIt tools and a code snippet follows. _Outsteel snippet code_ The second library, with hash _e1d92e085df142d703ed9fd9c65ed92562a759fa, is a mere_ downloader. Its main and only purpose is to download the next stage and run it. 12 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- Then the library with hash e1d92e085df142d703ed9fd9c65ed92562a759fa downloads from the URL "hxxp://smm2021.net/load2022.exe" the artefact, stores it in the path "C:\Users\\Downloads\installation.exe" and finally executes it. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 13 ----- The downloaded file represents the second BabaDeda crypter installation and has hash: _75afd05e721553211ce2b6d6760b3e6426378469._ In particular, once executed, it runs an msiexec command to extract each component of the installation to “C:\Users\admin\AppData\Roaming\AdoptOpenJDK\Network OpenJDK _11 2.1.11.53”. After that, the main binary is executed automatically._ The malicious files released are: **NAME** **SHA1** **PURPOSE** adfrecorder.exe adea1f5656c54983880c4f1841df85016828eece Main malicious Binary ff_wmv9.dll ba9cea9ae60f473d7990c4fb6247c11c080788d3 1[st] Loaded DLL libegl3.dll 3a0a4e711c95e35c91a196266aeaf1dc0674739d 2[nd] Loaded DLL usage.pdf fa7887bc9d48fcfc6fd0e774092ca711ae28993a Shellcode Container The workflow is quite like the previous, the difference is in the final payload and in the second malicious library. |NAME|SHA1|PURPOSE| |---|---|---| |adfrecorder.exe|adea1f5656c54983880c4f1841df85016828eece|Main malicious Binary| |ff_wmv9.dll|ba9cea9ae60f473d7990c4fb6247c11c080788d3|1st Loaded DLL| |libegl3.dll|3a0a4e711c95e35c91a196266aeaf1dc0674739d|2nd Loaded DLL| |usage.pdf|fa7887bc9d48fcfc6fd0e774092ca711ae28993a|Shellcode Container| 14 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- The library “ff_wmv9.dll”, with hash _ba9cea9ae60f473d7990c4fb6247c11c080788d3, is_ executed to decrypt the final payload and loads the second library. ` It opens the library “usage.pdf” reads the content, create a new thread and it copies in text segment the shellcode located at a specific offset and run it. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 15 ----- The second library is loaded and executed. The second library achieves the persistence creating a link file pointing to the main binary in the start-up directory. The link file is created via COM object interface, in particular using the IShellLinkW interface. 16 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- The start-up directory is obtained using SHGetFolderPathW() API. . Meanwhile the second library gains the persistence, the main thread run the real payload after that it is decrypted as described for BabaDeda crypter. To have the final payload the main binary has been dumped just after the decryption phase. The final payload is a downloader that tries to download the next stage and run it in another process. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 17 ----- Threat actor used a particular way to check the file size. It run a stat() and checked the size field. If it is 1 then the file and the malware is removed otherwise it is executed. The downloaded file is executed in a new process. On the other hand, below the function to delete itself. 18 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- Unfortunately, the C2 “hxxp://45.12.5.62/” was not working so no further payloads are available. **2.1.2** **WhisperGate Code OVERLAP** Some similarity has been found between the final payload, especially in the self-deletion routine. In particular the similarity is with the file having the hash _34ca75a8c190f20b8a7596afeb255f2228cb2467bd210b2637965b61ac7ea907, i.e. the file_ “Wiper”. Indeed the file wiper reported by “Unit42” in shows that the self-deletion command string is almost identical. Below the two strings used: **Executable** **Command** _File Wiper (WhisperGate)_ cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \"%s\" _adfrecorder.exe_ _(final_ cmd.exe /min /C ping 111.111.111.111 -n 1 -w 10 > Nul & Del /f /q "%s" _payload)_ In the following snippet the difference between the two functions. |Executable|Command| |---|---| |File Wiper (WhisperGate)|cmd.exe /min /C ping 111.111.111.111 -n 5 -w 10 > Nul & Del /f /q \"%s\"| |adfrecorder.exe (final payload)|cmd.exe /min /C ping 111.111.111.111 -n 1 -w 10 > Nul & Del /f /q "%s"| Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 19 ----- _adfrecorder.exe (final payload)_ _File Wiper (WhisperGate)_ Also the routine to run the command is very similar. 20 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- _adfrecorder.exe (final payload)_ _File Wiper (WhisperGate)_ Although the code is quite similar, at the same time it can be quite common. Nevertheless, the CMD command, its options and the use of the IP _111.111.111 as a whole suggest a_ similarity between the two artefacts. In addition, both malware processes close after execution of the CMD command. _File Wiper (WhisperGate)_ Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 21 ----- #### 2.2 BABADEDA Crypter Dropped from a new Downloader The second infection chain analysed begins with an archive containing a file with the extension ".cpl" that subsequently downloads the _BabaDeda crypter. Based on the_ compilation date of the cpl file, it is assumed that this campaign can be traced back to November 2021. _execution process graph_ In terms of analysis, looking at a CPL file is essentially identical to a DLL file. However, unlike the latter, it is automatically run when double-clicked. This makes it similar to EXE files; however uneducated users may be more likely to try to execute CPL files if they do not know any better. These files with the extension CPL have code overlaid with LorecCPL described by the security company NSFocus. The zip archive, with hash 33ddc1b13c079001eaa3514de7354019fa4d470a, was hosted on discord and contains the LorecCPL file with hash: _3bbe45cdcc2731c0bb4751d1098eccc50f98ef66._ The latter is named: 22 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- “PDF – _Інструкція_ _отримання_ _бонусу_ _за_ _вакцинацію______________________-pdf.cpl”_ which means “PDF _–_ _Instructions_ _for_ _receiving_ _the_ _vaccination_ _bonus_ _________________________- pdf.cpl”_ The _LorecCPL_ file downloads an MSI file and installs it in the path: “C:\Users\admin\AppData\Roaming\3delite\Memory Test Toolkit”. The LorecCPL file is therefore only a downloader and has a structure similar to a shellcode as shown in the following figure: Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 23 ----- Basically, the code and the useful data are both in the text section. The return address in the stack is used to insert the address of the value that will be used by the call. The following routine is used to find the module addresses, walking the PEB structure: Once the address of the library has been obtained, of course the necessary APIs will actually be resolved: 24 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- The function to find the library address and to resolve the API name are used few times to get the address of the APIs LoadLibraryW() and GetProcAddr(), respectively the addresses are stored in the EDI and ESI registers. So further in the code when a library or a API should be resolved the EDI/ESI register are used to call the proper API. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 25 ----- The library downloads an executable, with hash "7b67ed1f42e5cf388a0a981566598E716D9B4F99" from the URL "CDN.Discordapp.com/attachments/908281957039869965/911202801695/9112028016965 _/91120280162882172/adobeaacrobatreaderUpdate.exe" using the "WinHTTP" library,_ saves it in the path: “C:\Users\Public\svchosts.exe” and finally executes it. The file with hash 7b67ed1f42e5cf388a0a981566598e716d9b4f99 install BabaDeda crypter and starts the main malicious binary named also in this case mathparser.exe. The malicious files extracted are always the same: |NAME|SHA1|PURPOSE| |---|---|---| |mathparser.exe|f2b8ab6f531621ab355912de64385410c39c1909|Main malicious Binary| |JxCnv40.dll|7d44391b76368b8331c4f468f8ddbaf6ee5a6793|1st Loaded DLL| 26 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- libics4.0.dll e1d92e085df142d703ed9fd9c65ed92562a759fa 2[nd] Loaded DLL manual.pdf 8423b25054aa78535c49042295558f33d34deae1 Shellcode Container The LorecCPL libraries have been used to download Outsteel or BabaDeda crypter. _Outsteel snippet code_ #### 2.3 LorecCPL downloads ASPProtected Outsteel This infection chain according to the compilation time is of December 2021, differently from the previous one it does not uses BabaDeda crypter as loader but just uses LorecCPL to download Outsteel packed. Telsy Report – BabaDeda and LorecCPL downloaders 27 used to run Outsteel against Ukraine © Telsy 2022 |libics4.0.dll|e1d92e085df142d703ed9fd9c65ed92562a759fa|2nd Loaded DLL| |---|---|---| |manual.pdf|8423b25054aa78535c49042295558f33d34deae1|Shellcode Container| from the previous one it does not uses BabaDeda crypter as loader but just uses LorecCPL _Outsteel packed._ Telsy Report – BabaDeda and LorecCPL downloaders 27 used to run Outsteel against Ukraine © Telsy 2022 ----- The chain starts with an archive, with hash _0d94bac4c4df1fe3ad9fd5d6171c7460b30d8203, containing a LorecCPL file, with hash_ _f9d5b4cd52b42858917a4e1a1a60763c039f8930, and named_ _pdf - Приклад_ _заповнення_ _пояснювальної_ _текст_ _заповнюється_ _вручну.cpl ._ The CPL file, having the text segment writable, decrypts the real code via xor and then jump on it. After the xor operation the code goes on the decrypted zone and execute the usual LorecCPL flow, i.e. putting arguments on the stack as return address and use them in functions. 28 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- Indeed dumping the process the visual of the code is equals to the previous one. Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 29 ----- The LorecCPL will download from "stun.site/zepok101.exe" the Outsteel infostealer, with hash dbc9c8a492ae270bb7ed845680b81b94483ab585, packaged with the ASProtect tool . After decompressing and unpacking it, the “Outsteel” infostealer was found to exfiltrate documents on C2: “hxxp://185.244.41.109:8080/upld/” _Outsteel snippet code_ Belonging to the same campaign, for the same infection chain and period there is another archive, with hash 66117493eed35fbd3824e35971b0919190cd1de7, hosted at the following URL: “hxxp://flexspace.app/images/%D0%A2%D0%9B%D0%A4%20%D0%B8%D0%BD%D1%8 _4%D0%BE%D1%80%D0%BC%20%D0%92%D0%A0%D0%A3.docx.rar”._ This RAR file containing the usual _LorecCPL_ file inside, with hash _d0f1518db54f280dde5008404a2750641e76ceb2, named “ТЛФ_ _информ_ _ВРУ.docx.cpl”._ The LorecCPL file, just like the previous one, starts decrypting its payload and then acts like the previous downloading the Outsteel ASPRotected. 30 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- LorecCPL file before decryption: _LorecCPL file after decryption:_ Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 31 ----- The _LorecCPL will download the next stage_ _Outsteel from the following URL:_ “hxxp://stun.site/42348728347829.exe”. The next stage, with hash _942337f3ea28f553b47dc05726bb062befe09fef, is still packed_ with _ASProtector. The exfiltrated documents are still sent to the same IP address:_ _185.244.41.109._ _Outsteel snippet code_ 32 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- ## 3 Indicators of Compromise **TYPE** **_HASH_** **_PURPOSE_** _Start_ _Chain_ _Document_ _DOTM_ _ac672a07c62d48c0a7f98554038913770efaef11_ _downloader_ _LNK_ _931°86f402fee99ae1358bb0b76d055b2d04518f_ _Start Chain Link file downloader_ _CPL_ _3bbe45cdcc2731c0bb4751d1098eccc50f98ef66_ _Start Chain CPL file downloader_ _EXE_ _0d584d72fe321332df0b0a17720191ad96737f47_ _BABADEDA Crypter Installer_ _(Installer)_ _EXE_ _75afd05e721553211ce2b6d6760b3e6426378469_ _BABADEDA Crypter Installer_ _(Installer)_ _EXE_ _26474ba449682e82ca38fef32836dcb23ee24012_ _Mathparser.exe main binary_ _EXE_ _f2b8ab6f531621ab355912de64385410c39c1909_ _Mathparser.exe main binary_ _JxCnv40.dll malicious library shellcode_ _DLL_ _7d44391b76368b8331c4f468f8ddbaf6ee5a6793_ _injector (1[st] stage)_ _ff_wmv9.dll malicious library shellcode_ _DLL_ _ba9cea9ae60f473d7990c4fb6247c11c080788d3_ _injector (1[st] stage)_ _libics4.0.dll malicious library downloader_ _DLL_ _e1d92e085df142d703ed9fd9c65ed92562a759fa_ _(2[nd] stage)_ _libegl3.dll_ _malicious_ _DLL_ _3a0a4e711c95e35c91a196266aeaf1dc0674739d_ _persistence_ _(2[nd] stage)_ _PDF_ _8423b25054aa78535c49042295558f33d34deae1_ _manual.pdf shellcode container_ _(Shellcode)_ _PDF_ _fa7887bc9d48fcfc6fd0e774092ca711ae28993a_ _usage.pdf shellcode container_ _(Shellcode)_ _Archive_ _0d94bac4c4df1fe3ad9fd5d6171c7460b30d8203_ _Archive (CPL container)_ _CPL_ _f9d5b4cd52b42858917a4e1a1a60763c039f8930_ _Outsteel downloader_ _EXE_ _dbc9c8a492ae270bb7ed845680b81b94483ab585_ _Outsteel Asprotected_ _Archive_ _66117493eed35fbd3824e35971b0919190cd1de7_ _Archive (CPL container)_ _CPL_ _d0f1518db54f280dde5008404a2750641e76ceb2_ _Outsteel downloader_ _EXE_ _942337f3ea28f553b47dc05726bb062befe09fef_ _Outsteel Asprotected_ Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 |TYPE|HASH|PURPOSE| |---|---|---| |DOTM|ac672a07c62d48c0a7f98554038913770efaef11|Start Chain Document Template downloader| |LNK|931°86f402fee99ae1358bb0b76d055b2d04518f|Start Chain Link file downloader| |CPL|3bbe45cdcc2731c0bb4751d1098eccc50f98ef66|Start Chain CPL file downloader| |EXE (Installer)|0d584d72fe321332df0b0a17720191ad96737f47|BABADEDA Crypter Installer| |EXE (Installer)|75afd05e721553211ce2b6d6760b3e6426378469|BABADEDA Crypter Installer| |EXE|26474ba449682e82ca38fef32836dcb23ee24012|Mathparser.exe main binary| |EXE|f2b8ab6f531621ab355912de64385410c39c1909|Mathparser.exe main binary| |DLL|7d44391b76368b8331c4f468f8ddbaf6ee5a6793|JxCnv40.dll malicious library shellcode injector (1st stage)| |DLL|ba9cea9ae60f473d7990c4fb6247c11c080788d3|ff_wmv9.dll malicious library shellcode injector (1st stage)| |DLL|e1d92e085df142d703ed9fd9c65ed92562a759fa|libics4.0.dll malicious library downloader (2nd stage)| |DLL|3a0a4e711c95e35c91a196266aeaf1dc0674739d|libegl3.dll malicious library for persistence (2nd stage)| |PDF (Shellcode)|8423b25054aa78535c49042295558f33d34deae1|manual.pdf shellcode container| |PDF (Shellcode)|fa7887bc9d48fcfc6fd0e774092ca711ae28993a|usage.pdf shellcode container| |Archive|0d94bac4c4df1fe3ad9fd5d6171c7460b30d8203|Archive (CPL container)| |CPL|f9d5b4cd52b42858917a4e1a1a60763c039f8930|Outsteel downloader| |EXE|dbc9c8a492ae270bb7ed845680b81b94483ab585|Outsteel Asprotected| |Archive|66117493eed35fbd3824e35971b0919190cd1de7|Archive (CPL container)| |CPL|d0f1518db54f280dde5008404a2750641e76ceb2|Outsteel downloader| |EXE|942337f3ea28f553b47dc05726bb062befe09fef|Outsteel Asprotected| 33 ----- **_DOMAIN - IP - URL_** _smm2021.net_ _http://smm2021.net/load2022.exe_ _3237.site_ _http://3237.site/test01.exe_ _45.12.5.62_ _cdn.discordapp.com/attachments/908281957039869965/911202801416282172/AdobeAc_ _robatReaderUpdate.exe_ _185.244.41.109_ _hxxp://185.244.41.109:8080/upld/_ _flexspace.app_ _hxxp://flexspace.app/images/%D0%A2%D0%9B%D0%A4%20%D0%B8%D0%BD%D1%_ _84%D0%BE%D1%80%D0%BC%20%D0%92%D0%A0%D0%A3.docx.rar_ _stun.site_ _http://stun.site/zepok101.exe_ ## 4 ATT&CK Matrix 34 Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 ----- **Telsy is the Digital Champion of TIM Group for** cybersecurity and cryptography. For 50 years it has been at the service of the defense of the country, supporting armed forces and institutions in the defense of communications and the Italian cyber perimeter. Working in synergy with the other factories of the TIM Group, Telsy is the Cybersecurity competence center, which develops, besides the innovative core business focused on communication security, firmware security, MSS, data center security, and decision intelligence & data analytics solutions. Telsy complies with the Golden Power regulation, being a strategic company to the national security and defense. This report was produced by Telsy’s “Cyber Threat **Intelligence” team with the help of its CTI platform,** which allows to analyze and stay updated on adversaries and threats that could impact customers’ business. _©2022 Telsy. All rights reserved. The reproduction and distribution of this_ _material is prohibited without express written permission from Telsy._ **TELSY S.p.A.** Corso Svizzera, 185 - 10149 Torino – ITALIA www.telsy.com email: telsy@telsy.it Telsy Report – BabaDeda and LorecCPL downloaders used to run Outsteel against Ukraine © Telsy 2022 35 -----