Recently, NSFOCUS Security Labs captured a fishing document with the theme “ПАРТНЕРИ КУЛЬТУРНОЇ ДИПЛОМАТІЇ МЗС УКРАЇНИ” (Cultural Diplomatic Partner of the Ukrainian Ministry of Foreign Affairs), and confirmed that the producer of the document was Gamaredon, a Russia-based advanced persistent threat group.
The phishing document contains highly credible bait content, and uses a payload protection method with user information as the private key, which is in line with the behavioral characteristics of this threat actor.
Since 2021, relations between Russia and Ukraine have increasingly deteriorated. Both sides have deployed large numbers of military personnel and equipment in the border areas of the two countries. In late January, the US Secretary of State stated in talks with many European countries that once Russia carried out its military aggression against Ukraine, it would have serious consequences.
In order to prepare for a possible Russian-Ukrainian war, Russian intelligence services have carried out long-term intelligence-gathering work. The Russian cyber groups, represented by Gamaredon, completely abandoned the principle of concealment of intelligence work, and launched persistent spear phishing attacks on Ukrainian governmental and military organizations. The purpose of these attacks was to collect information from the targets’ staff and documents.
Process Analysis
This phishing document NSFOCUS Security Labs captured is disguised as a reference material of a government organization, with an address list of cultural diplomatic partners of the Ministry of Foreign Affairs of Ukraine in fields of Information and Politics, Art, Music, Film, Theatre and so on.
Based on the content of this document, which is likely a part of information collected by Gamaredon in their operations, it is inferred that the target is the staff of the Ukrainian Ministry of Foreign Affairs. The document implements the attack through an embedded malicious macro. The macro releases two VBS files to the startup and theme directories of the system respectively to realize automatic startup and execute the subsequent attack process.
The script named Themes.vbs sends the computer name and system disk serial number to a fixed URL, and then obtains the subsequent Trojan payload from the response of the URL. It is worth noting that the subsequent Trojan payload uses XOR encryption, and the XOR key is the disk serial number sent by Themes.vbs. This payload protection technology using host information is commonly seen in APT activities launched by threat groups such as Gamaredon and OceanLotus.
The communication domain name of the VBA files was flagged by ESET as a web property of Gamaredon in 2020. Whois information shows that the domain name is mainly used from 2020 to 2021. The phishing document came from Gamaredon’s early cyber attack activities shows that Gamaredon had already mastered a large number of Ukrainian government documents at that time.