# Targeted attack against the Ukrainian military **[nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html](https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html)** One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain. The letter forces a receiver to download the prescription by the link until April 13, 2017. The domain 'fex net' in the link has been actively used to distribute malware: ----- The downloaded file 'розпорядження Полторак.docx.exe' is an obfuscated .NET application [(MD5: 01fb11b245a6a2525da77aebd2879dcf). It copies itself as:](https://www.virustotal.com/ru/file/e9c9c84aa83e908c0e978c5c8f9a03c665fc559ee6b9d511c911ac9abc61326c/analysis/) c:\Documents and Settings\\Templates\winlogon.exe And drops the clean Word document: c:\Documents and Settings\\Local Settings\Temp\Docum.doc (MD5: b77f006667dd0a68de9c8ea30f2c80fe) First, it executes 'C:\WINDOWS\system32\svchost.exe' and injects the Darktrack in the 'svchost.exe' process. Then, it opens clean 'Docum.doc' to take a user's attention away. The following message is shown on execution: Then, it opens the embedded document: ----- The malicious process injects the backdoor's code into the system 'svchost.exe': ----- The backdoor is the Darktrack remote administration tool. ----- The client connects to the C&C's 1515 port. ----- The Darktrack client uses the proxy service 'hopto.org' to connect to the attacker's C&C. gordon6.hopto.org has been resolved to the following IPs: 95.46.151.68 62.76.106.236 92.38.37.15 All of the IPs are located at one place in Russia. ----- **Network IoCs:** gordon6.hopto.org fex.net 95.46.151.68 62.76.106.236 92.38.37.15 -----