APT Lorec53 group launched a series of cyber attacks against Ukraine

APT Lorec53 group launched a series of cyber attacks against Ukraine

February 21, 2022 | Jie Ji

Overview

Recently, NSFOCUS Security Labs captured a large number of phishing files against Ukraine in format of pdf, doc, cpl, lnk and other types. After analysis, we confirmed that the series of phishing activities came from the APT group Lorec53. During the period from the end of 2021 to February 2022, this group used multiple attack methods to deliver a variety of phishing documents to key state sectors such as the Ministry of Defense, Ministry of Finance, embassies, state-owned enterprises, and public medical facilities of Ukraine to collect personnel information of these organizations.

About Lorec53 Group

Lorec53, active in Eastern Europe, is a new type of APT group first identified and named by NSFOCUS Security Labs. The Ukrainian Computer Emergency Response Center identified this group as UAC-0056 in a recent report (https://cert.gov.ua/article/18419). NSFOCUS Security Labs found that the group’s captureable spy Trojans first appeared in 2020, and began to wage large-scale cyber espionage attacks against Ukraine and Georgia in early 2021.

Lorec53 group exposed lots of Russian-linked characteristics in attack tools, registration information of domain names, asset location, etc., and its attack targets were also closely related to national interests of Russia. The study on Lorec53’s shows there is a likelihood that this group was hired by other high-level espionage organizations to gain revenue by undertaking state-level espionage attacks or selling confidential government documents.

Lorec53 has strong infiltration ability and flexible attack methods, capable of organizing large-scale and frequent phishing attacks and good at harnessing social engineering technologies and network resource management methods learned from other threat actors.

At present, the victims affected by attacks launched by the Lorec53 group include users of the National Bank of Iran, Georgia’s Ministry of Epidemic Prevention and Health, Ukraine’s Ministry of Defense, the Presidential Office, the Ministry of the Interior, and the Border Service.

For more reports related to the group, see Analysis Report on Lorec 53 Group

Event overview

This time Lorec53 launched a long wave of attacks aiming at a wide range of targets. similarity of attack methods allowed us to connect these attacks with this group.

The same as previous methods, Lorec53 used baits such as Ukrainian government documents masked some information, shortcut files with Ukrainian titles and disguised extensions, and cpl files with Ukrainian file names, and masqueraded as a member of a credible organization to send these baits.

Some names of phishing files

In this series of phishing attacks, the attack actors mainly used three domain names, namely 3237.site, stun.site , and eumr.site , as download servers for phishing files. The site domain is one of the commonly used domains of Lorec53 group. As of February 11 , some URLs are still accessible and can deliver payload files, indicating that this round of attacks is still ongoing .

The Lorec53 group directly wrote the collected mailboxes of key Ukrainian facilities into the decoy text in this series of attacks, which was likely to increase the credibility of the bait. Such actions also helped researchers to estimate the attack coverage.

The Lorec53 group still employed known Trojan programs, including LorecDocStealer (also known as OutSteel ), LorecCPL , SaintBot , and packaged these Trojan programs as much as possible.

Event analysis

Attack event (1)

The first phishing attack in this wave was spotted at the end of 2021. The Lorec53 group constructed a large number of phishing documents with ” до рішення Ради національної безпеки і оборони України від 7 вересня 2021 року ” Про внесення зміни до персональних спеціальних економічних та інших обмежувальних заходів (санкцій)” “. The content of these phishing documents refers to a presidential decree adopted by the National Security and Defense Council of Ukraine on September 7, 2021, claiming that special asset restrictions and sanctions will be imposed on specific individuals.

Example of the phishing documents

According to the Ukrainian decree, some State departments such as Security Service of Ukraine and Cabinet of Ministers of Ukraine have the rights to revise this document to add or delete the individuals for economic sanctions. In the amendment on September 7, an economic sanctions object numbered 85 was added.

The phishing file is roughly the same as the content of the attachment in the presidential decree published by the Ukrainian government (https://zakon.rada.gov.ua/laws/show/n0062525-21#Text), but the Lorec53 group made the following changes to the text:

  • Obfuscated specific citizen information using asterisks;

This is Lorec53’s usual behavior when building phishing documents. It attracts readers to enable the editing function of the document, and then run macros in the document;

  • Added email addresses that did not exist in the original text;

The Lorec53 attacker added government email addresses to the original citizen information without fuzzing. After query, the “dmytrotsan@ukr.net ” address in the sample fishing email had nothing to do with the sanctions, but pointed to the the state treasure service of Ukraine in Volyn region. (ГОЛОВНЕ УПРАВЛІННЯ ДЕРЖАВНОЇ КАЗНАЧЕЙСЬКОЇ СЛУЖБИ УКРАЇНИ У ВОЛИНСЬКІЙ ОБЛАСТІ).

The above two changes indicate that the target of this phishing attack is the Ukrainian government, and the email addresses in the phishing email is likely to be the same as the victim’s email addresses. NSFOCUS Security Labs listed these addresses in all captured phishing emails to assess the impact of this Lorec53 phishing attack.

MailCorresponding organization
dmytrotsan@ukr.netThe State Treasury Service of Ukraine in Volyn region
emb_sm@mfa.gov.uaEmbassy Of Ukraine In Belgrade, Serbia
kev_dnipro@post.mil.gov.uaApartment-operational Department of Dnipro
zorkz@mil.gov.uaJoint Operational Headquarters of the Armed Forces of Ukraine
office.skdvs@ks.treasury.gov.uaDepartment of the State Treasury Service of Ukraine in Skadovsk district of Kherson region
sadovska-ii@utg.uaUkrtransgaz Joint Stock Company
ufg.csc@ufg@.com.uaUkrainian Financial Group
pokrovske_tckspdp@post.mil.gov.uaThird Sector Staffing and Social Support Centre, Sinernikivsky District, Dnipropetrovsk Oblast, Ukraine
zmievkazna@ukr.netThe State Treasury Service of Ukraine from the Zmіїvsky district of the Kharkiv region 
kuzmych@naftogaz.comThe Joint Stock Company  Naftogaz of Ukraine
zvernmou@ukr.netSection for Public Appeals Handling and Public Access to Information of the Ministry of Defense of Ukraine
perevod@pivdenny.uaPivdennyi bank
kevzp@post.mil.gov.uaPress and Information Office of the Ukraine’s MoD
i.kozarovska@ukrburgas.com.uaJSC “Ukrgazvydobuvannya” represented by the branch of the Drilling Department “Ukrburgaz”
kanivkamvo@ukr.netDepartment of education of The executive committee of the KANIV city council of cherkasy  region
t.litovko@direkcy.atom.gov.uaVP KB ATOMPRILAD DP NAEK ENERGOATOM
timm93@ukr.netDepartment of the State Treasury Service of Ukraine in Vasylivka district of Zaporizhia region 
office.cherv@lv.treasury.gov.uaDepartment of the State Treasury Service of Ukraine in Chervonohrad, Lviv Region 
kevplt_kes@post.mil.gov.ua 
babich-ka@utg.uaUKRTRANSGAZ Co., LTD
kevplt_zhytlo@post.mil.gov.ua 
corruption@direkcy.atom.gov.uaState-owned enterprises of Ukraine “NNEGC” Energoatom”
emb_jp@mfa.gov.uaEmbassy of Ukraine in Japan
genotdel@odessa.gov.uaOdessa Regional State Administration 
zoya_skl@ukr.netThe State Treasury Service of Ukraine in the Oleksandrivsky district of the Kirovohrad region 
ruslan.marunia@bank.gov.uaNational Bank of Ukraine currency Circulation Department
malyshev.tender@ukroboronprom.comMalyshev factory
emb_pl@mfa.gov.uaEmbassy of Ukraine in Poland
irudksu@i.uaThe Department of the State Treasury Service of Ukraine in Irshava district of Zakarpattia region 
emb_lt@mfa.gov.uaEmbassy of Ukraine in Lithuania
emb_fi@mfa.gov.uaEmbassy of Ukraine in Finland
abashinao@kv.treasury.gov.uaMain Department of the State Treasury Service of Ukraine in Kyiv 
1545@ukc.gov.uaGovernment Contact Center Government Hotline 1545
tetiana.rupcheva@bank.gov.uaDepartment of Monetary Policy and Market Transactions, National Bank of Ukraine 
pr@atom.gov.uaState-owned enterprises of Ukraine “NNEGC” Energoatom”
1201_buhg@dmsu.gov.uaICE of Ukraine in the Dnepropetrovsk region  
kherson_kev@post.mil.gov.uaHousing and Maintenance Department of Kherson
sholyak27@ukr.netThe Statetreasury Service Of Ukraine In Thetranscarpathian Region
office@novator-tm.comState-owned enterprises of Ukraine “Novator”
mps@industrialbank.uaAKB Industrialbank PAT
v.harchenko@mil.gov.ua 
Email addresses and corresponding organizations in phishing emails

The associated information of these email addresses shows that the purpose of Lorec53 in this phishing attack is to explore and collect information, which is the same as the organization’s previous activities.

The malicious macros in these phishing documents will download and run the Trojan at http [ : ] //3237 [ . ] site/test01.exe. Also associated with this domain name are ” Особливі документи СБУ .lnk” (a special. lnk file of Security Service of Ukraine), and Lorec53’s known Trojan program LorecCPL (named “08-2021.cpl”), a direct correlation to the Lorec53 group.

Main logic part of the LorecCPL Trojan

The malicious shortcut file named “Особливі документи СБУ.lnk” was also used by the Lorec53 group in several attacks. Lorec53 put the malicious shortcut file together with other clear files into crafted many compressed files with names including “sadovska-iiutg.ua.zip”, “feukslpost.mil.gov.ua.zip”, “n. lashevychdirekcy.atom.gov.ua.zip” and “feukslpost.mil.gov.ua.zip”, expecting victims run the malicious file while browsing file by file. This decoy method also fits with Lorec53’s historical tactics.

File directory of a crafted compressed package

From the name of the compressed package, it can be seen that the target of this attack is similar to and partially overlapped with the aforementioned phishing document on economic sanctions, which can be speculated to be the same series of attacks. 

Attack event (2)

This is a phishing attack occured between Decemeber 2021 and February 2022.

In early February, Lorec53 produced a series of phishing documents titled ” Повідомлення про вчинення злочину” (Report of Crime), delivered in PDF embedded with vulnerability and DOCX file with malicious macros. The former file displayed “please update” when opened.

Phishing document titled “Повідомлення про вчинення злочину”

Crafting PDF phishing documents is a commonly-used method by the Lorec53 group. It is used to download the Trojan programs https[:]//get.adobe.com.uk.reader.updateadobeacrobatreaderdc.stun[.]site/get.adobe.com.uk.reader/get.adobe.com.uk.reader/get.adobe.com.uk.reader/AdobeAcrobatUpdate.exe. This Trojan is another form the Trojan LorecDocStealer (also known as OutSteel ) and used to steal documents from compromised hosts. The shell wrapping technique used by the Lorec53 group on this Trojan is commonly seen in AgentTesla spyware.

The latter DOCX file  ” Повідомлення про вчинення злочину ( Білоус Олексій Сергійович) .docx” presented images and textual information with distinct decoy characteristics used the by Lorec53 group when it was opened.

DOCX phishing document titled ” Повідомлення про вчинення злочину”

The document is disguised as a document from the investigation department of the Ukrainian National Police, and through a piece of red prompt information and masking images, tricked readers to click the icon ole object in the document and then execute JavaScript to download and run the Trojan horse in the link https[:]//cdn.discordapp[.]com The Trojan in /attachments/932413459872747544/938291977735266344/putty.exe. The Trojan is also a new look of Trojan LorecDocStealer (or OutSteel).

With reference to the aforementioned attack, the unobfuscated email address o.bilous@ukrtransnafta.com in this document is very likely to belong to one of victims. The affiliated company of this mailbox is UkrTransNafta in Ukraine .

In addition, this DOCX phishing document was also spotted and published by the Ukrainian Computer Emergency Response Center (CERT-UA), where CERT-UA referred to the Lorec53 group as the UAC-0056 (https://cert.gov.ua/article/18419).

Association analysis to the domain name stun.site appeared in this attack shows NSFOCUS security researchers that a variety of decoy files released by the Lorec53 group from December 2021. These files include .lnk, .cpl , .rar and other formats, all of which are known decoy forms of the Lorec53 group. The main purpose of such attacks is to obtain the  LorecDocStealer (OutSteel) Trojan from stun.site for further attack activities . 

Attack event (3)

The is an attack linked to the domain name eumr[.]site.

In the early of February, the Lorec53 group constructed a phishing document named ” Роз’яснення ” щодо коректності ведення електронних медичних записів в електронній системі охорони здоров’я, а також впливу прави” (Clarification on the correctness of electronic medical records in the electronic health care system, as well as the impact of law) and sent out in .zip format. As indicated by the name, it’s targeted the Ukrainian medical system, the same target in Lorec53 previous attacks.

The malicious shortcut file in the compressed package is a typical Lorec53 phishing lure, used to download and run the Trojan program located at http[:]// eumr [.]site/up74987340.exe, which is the LorecDocStealer (OutSteel) Trojan.

The latest modified date of this decoy shows on January 31, 2022.

Domain names and C2 server addresses appeared in this attack can be associated with a large number of other malicious programs, all of which are different forms of packages of the LorecDocStealer (OutSteel) Trojan. 

Conclusion

The attacks spotted this time are all part of a large-scale cyberattack campaign carried out by the Lorec53 group between the end of 2021 and February 2022 against Ukrainian government departments, the military, and state-owned enterprises. The main purpose of these attacks are still probing and collecting information, with distinctive TTPs of the Lorec53 groups at each stage.

The phishing lures captured this time show that the Lorec53 group has indeed inherited the group’s mercenary hacking characteristics when operating a national-level cyber attack campaign. The Lorec53 group will batch-produce and regularly adjust the content of the phishing bait, with flexible download server addresses and C2 addresses, to indiscriminately harass and attack the exposed mailboxes of critical facilities of Ukraine. This large-scale attack idea is similar to Lorec53’s early operation idea as an email botnet operator. As the situation in Eastern Europe has changed, the activities of cyber espionage against Ukraine have increased significantly recently. NSFOCUS Security Labs will continue to pay attention to the Lorec53 group and its attack activities.