Starting in early 2019, Ukrainian government entities have been targeted by a spear-phishing campaign that appears to be a cyber espionage campaign emanating from the Luhansk People’s Republic (LPR).
LPR is a proto-state. It is a region in eastern Ukraine that declared independence following the 2014 Ukrainian revolution. It is not recognized as a sovereign state by any member country of the UN. The Ukrainian government describes LPR as a ‘temporarily occupied territory’, and its government as an ‘occupying administration of the Russian Federation’.
FireEye has discovered a new spear-phishing campaign that it believes is a continuation of ongoing activity probably coming from LPR and aimed against the Ukrainian government. It believes that such activity dates to 2014.
In January 2018, Palo Alto Networks (PAN) discussed “a modestly sized campaign going back to late 2015 using both Quasar RAT and RAT VERMIN.” While PAN provides no attribution and doesn’t mention LPR, this is almost certainly the ‘ongoing activity’ described by FireEye. In March 2018, ESET published a report analyzing both Quasar and Vermin malware and campaigns. Now, however, says FireEye, the attackers have improved their sophistication by leveraging both custom and open-source malware, and using malicious LNK files.
QUASAR is an open-source RAT freely available on GitHub. VERMIN is a custom-made full-featured backdoor not used by any other threat actor. The latter first appeared in 2016. Most of its capabilities are implemented in the primary payload, but additional functionality — such as an audio recorder, a keylogger, a password stealer and a USB file stealer — can be downloaded to the victim machine.
A spear-phishing sample email found by FireEye and dated 22 January 2019 pretends to be from Armtrac, a UK defense manufacturer. It expresses an interest in discussing “joint opportunities in demining activities… ammunition recycling, participation in tenders with further technology transfer…” The Armtrac address, website and email contacts in the email are all correct.
Three attachments are provided with the email. Two are genuine and benign PDF files taken from the Armtrac website. The third, however, is a malicious LNK file that executes a PowerShell script. The script attempts to connect to ‘http://sinoptik[.]website/EuczSc’ which resolves to IP address 188.8.131.52. This server was not available during FireEye’s analysis.
However, note the researchers, “Domains previously connected to RATVERMIN (aka VERMIN) and QUASARRAT (aka QUASAR) also resolved to IP ‘184.108.40.206’.” FireEye has not seen the malware used by any other threat actor.
FireEye’s infrastructure analysis also points to an LPR source, and in particular to the persona ‘re2a1er1 @ yandex.ru’. One of the domains registered from this email address is the official website of the Ministry of State Security of the LPR.
All these indicators — type of malware, target, and infrastructure — lead FireEye to conclude that this is the latest iteration of an ongoing cyber espionage campaign by unnamed LPR actors against the Ukrainian government. “While more evidence is needed for definitive attribution,” it reports, “this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors.”
The actors themselves are described as being highly aggressive and proactive. ESET pointed out the extent to which the malware is focused on Ukrainian targets. It checks for Russian or Ukrainian keyboard layouts and terminates if not. It checks the victim’s IP address, and if not in Russia or Ukraine, it terminates. It will not run under accounts typical of automated analysis systems.
FireEye gives an example. When the RATVERMIN operators realized the malware was running on an unintended victim, they immediately executed the Hidden Tear ransomware. This was killed by the analysts before it could take effect. The malware operators then started deleting the analysis tools.
The analysts reset the machine and allowed the malware to execute again; but this time with an open text file asking the attackers why they sent the ransomware. The attackers responded with a message “C&C to Victim”, ending “Mad?”
Although currently entirely focused against Ukraine, FireEye points out and warns, “nascent threats to Ukraine have previously become international concerns and bear monitoring.”