At a glance.
- New malware used to disrupt Ukrainian services.
- Spearphishing Ukrainian organizations.
- Sophisticated malware tied to China.
- Cuba Ransomware gains access via vulnerabilities.
New malware used to disrupt Ukrainian services.
Researchers at Microsoft identified a new malware strain being used in destructive attacks against Ukrainian services. The malware was deployed hours before Russia invaded Ukraine last week:
"Several hours before the launch of missiles or movement of tanks on February 24, Microsoft’s Threat Intelligence Center (MSTIC) detected a new round of offensive and destructive cyberattacks directed against Ukraine’s digital infrastructure. We immediately advised the Ukrainian government about the situation, including our identification of the use of a new malware package (which we denominated FoxBlade), and provided technical advice on steps to prevent the malware’s success....These recent and ongoing cyberattacks have been precisely targeted, and we have not seen the use of the indiscriminate malware technology that spread across Ukraine’s economy and beyond its borders in the 2017 NotPetya attack. But we remain especially concerned about recent cyberattacks on Ukrainian civilian digital targets, including the financial sector, agriculture sector, emergency response services, humanitarian aid efforts, and energy sector organizations and enterprises."
Spearphishing Ukrainian organizations.
Palo Alto Networks' Unit 42 spotted a spearphishing attack against an energy organization in Ukraine. The attackers used a Word document that purported to come from the National Police of Ukraine in an attempt to trick the victim into installing malware. The researchers believe the "threat group’s primary goal is to steal sensitive information for the purpose of situational awareness and leverage in dealing with Ukraine":
"On Feb. 1, 2022, Unit 42 observed an attack targeting an energy organization in Ukraine. CERT-UA publicly attributed the attack to a threat group they track as UAC-0056. The targeted attack involved a spear phishing email sent to an employee of the organization, which used a social engineering theme that suggested the individual had committed a crime. The email had a Word document attached that contained a malicious JavaScript file that would download and install a payload known as SaintBot (a downloader) and OutSteel (a document stealer). Unit 42 discovered that this attack was just one example of a larger campaign dating back to at least March 2021, when Unit 42 saw the threat group target a Western government entity in Ukraine, as well as several Ukrainian government organizations."
Sophisticated malware tied to China.
Researchers at Symantec describe a "highly sophisticated" strain of malware dubbed "Daxin" that's being used by China-linked threat actors to conduct cyberespionage:
"There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China. Most of the targets appear to be organizations and governments of strategic interest to China. In addition, other tools associated with Chinese espionage actors were found on some of the same computers where Daxin was deployed.
"Daxin is without doubt the most advanced piece of malware Symantec researchers have seen used by a China-linked actor. Considering its capabilities and the nature of its deployed attacks, Daxin appears to be optimized for use against hardened targets, allowing the attackers to burrow deep into a target’s network and exfiltrate data without raising suspicions."
Cuba Ransomware gains access via vulnerabilities.
Mandiant is tracking a threat actor that's exploiting various vulnerabilities to deploy Cuba Ransomware (which Mandiant tracks as COLDDRAW). The threat actor has targeted "utilities providers, government agencies, and organizations that support non-profits and healthcare entities," most of which were located in the United States and Canada.
"UNC2596 is currently the only threat actor tracked by Mandiant that uses COLDDRAW ransomware, which may suggest it’s exclusively used by the group. During intrusions, these threat actors have used webshells to load the TERMITE in-memory dropper with subsequent activity involving multiple backdoors and built-in Windows utilities. Beyond commonplace tools, like Cobalt Strike BEACON and NetSupport, UNC2596 has used novel malware, including BURNTCIGAR to disable endpoint protection, WEDGECUT to enumerate active hosts, and the BUGHATCH custom downloader. In incidents where COLDDRAW was deployed, UNC2596 used a multi-faceted extortion model where data is stolen and leaked on the group's shaming website, in addition to encryption using COLDDRAW ransomware. COLDDRAW operations have impacted dozens of organizations across more than ten countries, including those within critical infrastructure."