{"id":19125,"date":"2022-02-21T04:37:48","date_gmt":"2022-02-21T04:37:48","guid":{"rendered":"https:\/\/nsfocusglobal.com\/?p=19125"},"modified":"2026-04-17T18:07:45","modified_gmt":"2026-04-17T18:07:45","slug":"apt-lorec53-group-launched-a-series-of-cyber-attacks-against-ukraine","status":"publish","type":"post","link":"https:\/\/nsfocusglobal.com\/pt-br\/apt-lorec53-group-launched-a-series-of-cyber-attacks-against-ukraine\/","title":{"rendered":"APT Lorec53 group launched a series of cyber attacks against Ukraine"},"content":{"rendered":"\n

Overview<\/h2>\n\n\n\n

Recently, NSFOCUS Security Labs captured a large number of phishing files against Ukraine in format of pdf, doc, cpl, lnk and other types. After analysis, we confirmed that the series of phishing activities came from the APT group Lorec53. During the period from the end of 2021 to February 2022, this group used multiple attack methods to deliver a variety of phishing documents to key state sectors such as the Ministry of Defense, Ministry of Finance, embassies, state-owned enterprises, and public medical facilities of Ukraine to collect personnel information of these organizations.<\/p>\n\n\n\n

About Lorec53 Group<\/h2>\n\n\n\n

Lorec53, active in Eastern Europe, is a new type of APT group first identified and named by NSFOCUS Security Labs. The Ukrainian Computer Emergency Response Center identified this group as UAC-0056 in a recent report (https:\/\/cert.gov.ua\/article\/18419). NSFOCUS Security Labs found that the group’s captureable spy Trojans first appeared in 2020, and began to wage large-scale cyber espionage attacks against Ukraine and Georgia in early 2021.<\/p>\n\n\n\n

Lorec53 group exposed lots of Russian-linked characteristics in attack tools, registration information of domain names, asset location, etc., and its attack targets were also closely related to national interests of Russia. The study on Lorec53’s shows there is a likelihood that this group was hired by other high-level espionage organizations to gain revenue by undertaking state-level espionage attacks or selling confidential government documents.<\/p>\n\n\n\n

Lorec53 has strong infiltration ability and flexible attack methods, capable of organizing large-scale and frequent phishing attacks and good at harnessing social engineering technologies and network resource management methods learned from other threat actors.<\/p>\n\n\n\n

At present, the victims affected by attacks launched by the Lorec53 group include users of the National Bank of Iran, Georgia’s Ministry of Epidemic Prevention and Health, Ukraine’s Ministry of Defense, the Presidential Office, the Ministry of the Interior, and the Border Service.<\/p>\n\n\n\n

For more reports related to the group, see Analysis Report on Lorec 53 Group<\/a><\/p>\n\n\n\n

Event overview<\/h2>\n\n\n\n

This time Lorec53 launched a long wave of attacks aiming at a wide range of targets. similarity of attack methods allowed us to connect these attacks with this group.<\/p>\n\n\n\n

The same as previous methods, Lorec53 used baits such as Ukrainian government documents masked some information, shortcut files with Ukrainian titles and disguised extensions, and cpl files with Ukrainian file names, and masqueraded as a member of a credible organization to send these baits.<\/p>\n\n\n\n

\"Red<\/a>
Some names of phishing files<\/figcaption><\/figure>\n\n\n\n

In this series of phishing attacks, the attack actors mainly used three domain names, namely 3237.site, stun.site , and eumr.site , as download servers for phishing files. The site domain is one of the commonly used domains of Lorec53 group. As of February 11 , some URLs are still accessible and can deliver payload files, indicating that this round of attacks is still ongoing .<\/p>\n\n\n\n

The Lorec53 group directly wrote the collected mailboxes of key Ukrainian facilities into the decoy text in this series of attacks, which was likely to increase the credibility of the bait. Such actions also helped researchers to estimate the attack coverage.<\/p>\n\n\n\n

The Lorec53 group still employed known Trojan programs, including LorecDocStealer (also known as OutSteel ), LorecCPL , SaintBot , and packaged these Trojan programs as much as possible.<\/p>\n\n\n\n

Event analysis<\/h2>\n\n\n\n

Attack event<\/strong> (1)<\/strong><\/p>\n\n\n\n

The first phishing attack in this wave was spotted at the end of 2021. The Lorec53 group constructed a large number of phishing documents with ” до Ñ€Ñ–ÑˆÐµÐ½Ð½Ñ Ð Ð°Ð´Ð¸ національної безпеки Ñ– оборони України від 7 вереÑÐ½Ñ 2021 року ” Про внеÑÐµÐ½Ð½Ñ Ð·Ð¼Ñ–Ð½Ð¸ до перÑональних Ñпеціальних економічних та інших обмежувальних заходів (Ñанкцій)” “. The content of these phishing documents refers to a presidential decree adopted by the National Security and Defense Council of Ukraine on September 7, 2021, claiming that special asset restrictions and sanctions will be imposed on specific individuals.<\/p>\n\n\n\n

\"Red<\/a>
Example of the phishing documents<\/figcaption><\/figure><\/div>\n\n\n\n

According to the Ukrainian decree, some State departments such as Security Service of Ukraine and Cabinet of Ministers of Ukraine have the rights to revise this document to add or delete the individuals for economic sanctions. In the amendment on September 7, an economic sanctions object numbered 85 was added.<\/p>\n\n\n\n

The phishing file is roughly the same as the content of the attachment in the presidential decree published by the Ukrainian government (https:\/\/zakon.rada.gov.ua\/laws\/show\/n0062525-21#Text), but the Lorec53 group made the following changes to the text:<\/p>\n\n\n\n