A FortiGuard Labs Threat Analysis
FortiGuard Labs recently discovered a fresh malicious campaign being run by the Gamaredon Group possibly targeting Ukrainian law enforcement and government agencies. We decided to provide an analysis of the current campaign, particularly focusing on the tools and methods used by these malicious actors to try to understand their methodologies and what resources are needed to launch these types of attacks.
The Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and military departments from the mid-2013s. In one article published in the Kharkiv Observer – an independent Ukranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has been attacked by malware developed by the Gamaredon Group. In addition, the anonymous cybersecurity experts referenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers.
The group is very active. In addition to the campaign we will analyze in this report, they are also implicated in the spreading of a new Linux malware – Evil Gnome.
The Gamaredon Group has been active for more than 6 years, and during that time, their Tactics, Techniques, and Procedures (TTPs) have mostly remained the same. They primarily target Ukrainian organizations and resources using spear-phishing attacks, and they use military or similar documents as bait. Once they have found a victim, they then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command files.
As an example, we decided to analyze one of their latest samples. The following archive caught our attention for exploiting a WinRAR unacev2 module vulnerability and for having interesting content. In this case, it looked like someone was using the military conflict in Ukraine to deliver some sort of malware. A quick search for those patterns gave us the source of the archive – the Gamaredon Group.
The archive contains several decoy files:
All of the text files contain old phone billing information, as well as coordinates, numbers, and addresses. We cannot determine if this information is real or not. Even if it is, this kind of data can be easily found in public domains.
Another file is used as bait is called ssu_zakon.docx. This document is just a note regarding the Security Service of Ukraine (SSU) law.
The archive also contains 2 MS Office documents named correspondingly for the names stated on the decoy image - Pinchuk Andriy Yuryevich 27.12.1997.docx and Havchenko Dmitry Vasilyevich 06.01.1966.docx.
The document names are written in Ukrainian, while the content is written in Russian – and in fact, is just the translated text from the decoy image. The text provides brief information on two persons, listing the address of their registration and information about their military careers.
Checking the metadata of two documents, we observed the following:
The files заява.jpg (statement.jpg) and D3i_GMCWAAAq_8u.jpg are the same. The original source of this picture is a post on a website called Mirotvorets (Peacemaker). The website is known for publishing the personal information of people who are considered to be “enemies of Ukraine.”
The text on the pictures below talks about Crimea, the military conflict, and about two people who are suspected of sponsoring the Presidential election campaign of the current president of Ukraine (Volodymyr Zelensky).
The image date on the image is 7 of April 2019. This is the same day it was published on the Mirotvorets website. But one interesting fact is that WinRAR shows the last modification date as 21.02.2019 22:03:
To understand this time-travel mystery, we decided to check the ACE archive structure.
As you can see on figure 7, the ACE archive contains a date field in MS-DOS format.
If we convert 02/21/2019, 22:03:06 to an MS-DOS timestamp, we get 0x4E55B063. This would be written as 0x63B0554E in little-endian ordering. Checking our archive, we can find the corresponding field:
Now, if we search for it using \x63\xB0\x55\x4E, we find this module for a Metasploit Framework:
Searching further, we observed an earlier Proof of Concept script that was published on the 27th of February, 2019.
The date listed in the archive was pre-defined and inserted by generator scripts. This fact gives us the idea that the attackers are utilizing publicly available scripts to pack their payload. The only real timestamps we can currently trust are the timestamps extracted from MS Office document metadata. Those are 05.04.2019 and 10.04.2019. Besides the date and time information, we also have a very generic username of the file creator: USER.
The exploit drops three files on the file system. Each of them has their own application:
First, the shortcut called “Goggle Chrome.lnk” is placed on the users’ desktop. As you can see in figure 11, the actor misspelled the browser name. This shortcut is intended to be clicked on by the user instead of the proper “Google Chrome” browser. The shortcut has a hardcoded path to the icon, so the proper image will be shown only if the user has the browser installed on their computer.
Next, the same shortcut is placed in the Startup folder at %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Goggle Chrome.lnk. This time, the shortcut is placed for persistence purposes. The files in the startup folder will be executed once the user logs into the system. That way, in case the desktop shortcut hasn’t been clicked by the user in the current session, the startup file is the backup for the attacker so it can be executed at the next system reboot or user login.
And finally, the executable file called “win.exe” is placed in the users’ directory at %userprofile%\win.exe.
The file, dropped to the user folder, is a password-protected self-extracting RAR archive. The file has a compilation date of 24.04.2017 18:45:49 (GMT).
Knowing the self-extracting archive compilation date allows us to find the WinRAR software version used by the attacker. When the SFX archive is created, the compilation date is set close to the timestamp of the corresponding version of the WinRAR software used. So, the only version that could give that timestamp is WinRAR 5.50 Beta 1 (x86). Its installer file has its timestamp set to 24.04.2017 18:46:00 (GMT), which is 1 second different from the SFX malware. Trying to create a self-extracting archive with this version, we got the same date as the one stated in the malware.
Additionally, the malicious self-extracting archive contains a fake digital signature of a legitimate Microsoft tool - SysInternals Autoruns. As you can see in the figure below, the signature fails to pass validation:
Moving on, to get the archive password we have to check the shortcut that is linked to it.
Once we have a password, we can check the internals of the win.exe file. As can be seen in figure 15, it contains another executable file called winlog.exe. Besides that, it has an embedded SFX script that is executed when the archive data is extracted:
Let’s unpack this file and analyze its content.
The file is a 7zip SFX archive that tries to look like a mysterious version of Email Microsoft Office Word software. This time, the file is even older than the previous SFX archive. Although the last modification date is set to 10.04.2019 13:55:42 (GMT), the compilation timestamp is 05.03.2016 12:06:17 (GMT). Unfortunately, none of the 7zip software release dates or versions corresponds to this timestamp, so our previous discovery technique did not work in this case.
This self-extracting archive contains two files and a script that is launched at extraction:
RunProgram="hidcon:5493.cmd" (Run batch file with hidden console window after extraction)
GUIMode="2" (No windows are shown)
SelfDelete="1" (Delete the archive after extraction)
To search for any hints of the software used to create this self-extracting archive, we looked into the file with just a text editor. Luckily, there was some information regarding the version and copyright.
This time, searching for the copyright, versions, and script we found a custom tool called Modified 7-Zip SFX module for installers, version 1.6.1 Stable build 3873 was used to create the malicious file. This tool is freely distributed on the Russian-speaking forum oszone. The custom software produces a 7zip SFX archive with exactly the same timestamp as the malicious file.
Next, let’s analyze the files contained in the archive.
The first one is called 5532.cmd, and it is a command prompt (batch) file. The second file is an executable and is called config.exe.
Looking into the batch file, we can see that it was not very obfuscated and therefore easy to read.
The first thing we can see is the configuration information. It has a hardcoded C2 server, filename, and user-agent:
After the configuration variables we found the main routine. First, the malware extracts its proxy information from the registry key. HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings. It then saves the following information:
Next, it gets the name of the computer and generates a unique ID. Once done, it calls the systeminfo utility and saves the whole output to a text file that in our case called ohJlkad.txt:
After that, it waits for 40 seconds using the command:
Once the timer ends, it will check for the internet connection by launching a ping command and sending 14 requests to google.com
Once finished, it kills the task with the filename stated in the configuration (“librelogout.exe”) and deletes the file.
Finally, it calls the config.exe application to provide several arguments:
In case the user is connected to the internet via proxy, it will provide additional arguments to config.exe:
Among the arguments, we see one interesting parameter: versiya = wrar. First, the word Versiya is the Russian Версия or Ukranian Версія, and it means version. As it is set to wrar, we can guess that it refers to the way the payload is being delivered. In this case, the initial file mirotvorec.rar contains an exploit for the WinRAR unacev2 module.
After the config.exe returns, the script launches the main payload hosted on C2. To sum up the script routine, it takes the following actions:
Analyzing the config.exe file, we found out that it is a legit wget version (v 1.11.4) with OpenSSL support compiled for Windows. The file is quite old, as the compilation date goes back to 2009. Apparently, the attackers decided to not reinvent the wheel and simply used an open-source solution for exfiltrating the host data and downloading the main payload.
In addition to analyzing their techniques, we also decided to collect more information about the attackers. Fortunately, the shortcut they made will help us.
The shortcuts used in Windows are small files that simplify our lives by providing a fast way to access files, applications, and URLs. Another fact is that the .lnk shortcuts help simplify the forensic analysis of malicious campaigns by providing the amount of the information hidden from the user.
First, let’s check the “Goggle Chrome.lnk” by opening its properties:
First, we see that the shortcut contains a Russian string Доступ в Интернет in the comment field, which translates to Access to the Internet. This text is shown if one hovers the mouse over the shortcut. The real Google Chrome shortcut will contain this comment and the text will depend on system language settings. So, we can guess that Windows with the Russian language pack has been used for forming the malicious shortcut.
Another artifact left by the attackers is the password they used to unpack win.exe.
The -p is the argument for WinRAR SFX to use a password when unpacking. So the rest of the string – fvthbrfycrbte,k.lrb is the password. If you switch your keyboard layout to Russian and type the password characters, you eventually recover an obscene phrase in Russian: “американскиеу**юдки”, that is translated as “American b**tards”. Is this an Easter egg left by the Gamaredon Group?
Next, let’s move to the shortcut internals. Using the parsers of the .lnk structure, we can extract more information from the file. We decided to use LNK Parser, a tool that can generate very detailed html reports.
As it contains quite a lot of information, we will focus on the most interesting pieces:
We decided to use this information to search for any other samples containing the same MAC address, drive serial number, or any other unique data from the shortcut.
Once the samples were found, we analyzed and extracted other pieces of information that could also help us with attribution. The general behavior of the samples found was mostly the same: SFX archive, batch command file, shortcuts. The only different parts were the bait files and sometimes the batch scripts used by the attackers.
First, we looked at a sample very similar to the one we deeply researched – mirotvorec.rar. The name of the archive is the same as the source of the decoy image shown in figure 4. There were only three main differences we observed: the lack of decoy files (text files and the ssu_zakon.docx), and different icons used for win.exe and winlog.exe. The last one is different. It is user-agent written in the script:
It looks like the criminal actors are still experimenting with the campaign, trying different patterns by changing the bait and slightly modifying the dropper malware.
We also discovered a non-political sample called vpnclient-win-msi-5.0.07.0410-k9.exe. The sample does not use the WinRAR unacev2.dll vulnerability, and indeed contains a legitimate VPN client tool along with a malicious script that is launched in the background. Analyzing the shortcut file used in the sample, we found other interesting information left by the actors.
The sample hash is 5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90.
Data extracted from the shortcut included:
Here we can see the username of an attacker OS account – Carson. The NetBIOS name, hard drive serial number, and MAC address remained the same.
This sample has a slight difference in the unpacking method. This time, instead of the shortcut, the attackers hid the password inside the batch script.
As in the previous samples, the password is an obscene phrase in Russian written in an English keyboard layout.
Another sample that caught our attention was a .lnk shortcut file called 6228. The hash of the file is: 995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d, and some of the extracted data follows:
This time, we observe that the malicious actor changed the VM PC name from user-pc to shaman-pc (written in Russian). The MAC address and drive serial number are the same. Other interesting artefacts include the paths they forgot to clean out. The words VZLOM and SBORKA_SCR are correspondingly translated from Russian as Hacking and SCR Constructor. It means they are using other specialized tools to generate .scr malware. These tools, based on the drive letter F, are possibly stored on a USB flash drive or share folder connected to the VM.
Another trace the group left behind is the new SFX unpacking password – “dst,bntct,zd;jgegbyljcrbtcerb” which is, again, an obscene phrase in Russian written in English keyboard layout.
Besides this, other similar samples were observed:
This sample usesVBA macros to drop a payload. Checking the C2, we can see that it is resolved as 5.252.193[.]204. From another malicious domain that shares the same IP address – wifu[.]site – an additional sample has been retrieved:
Inside the batch script 13446.cmd, which is a bit different from the discussed sample, we found this additional information:
The information extracted from the samples could now be used to search for any other campaigns ran by this group or link any old campaigns to one actor.
After we analyzed the data left inside the samples, we went about summarizing the information we had collected about them to get an idea of who hides behind that group.
On one hand, these malicious actors have been operating since mid-2013, so they more than 6 years of experience.
On the other hand, the traces they left in the malware highlight some basic mistakes.
While analyzing a campaign run by the Gamaredon group, we discovered the tools they used to prepare the attack and found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis. No doubt, the group has strong Russian ties if we rely on how much of that language is used in the malware.
Summarizing our observations regarding the Gamaredon group, we can say that the tools and methods used are more likely to be associated with political activists rather than with special services. Unfortunately, we do not have enough proofs to be sure about that. Further monitoring of their campaigns could probably show us the real face of Gamaredon.
-= FortiGuard Lion Team =-
5.252.193[.]204 - Malicious
hxxp://lisingrout.ddns[.]net - Malicious
hxxp://bits-tor[.]host - Malicious
hxxp://bits-tor[.]site - Malicious
hxxp://usbqueshions.ddns[.]net - Malicious
hxxp://librework.ddns[.]net - Malicious
hxxp://wifc[.]website - Malicious
hxxp://wifu[.]site - Malicious
04ed2ad4fa67c8abd635d34017c3d04813690a91282a0446c0505b2af97ce48b - W32/PossibleThreat
0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7 - LNK/Agent.GP!tr 18cd658fac1dd52a75b4eb6558d06dfe5be0e4db7078d72f663c44507449168c - BAT/Pterodo.QW!tr
257f7f67c59ec8f3837c7e4c99b1dc20c5cd0273bd940beef46d5e641393be37 - W32/Pterodo.RN!tr 258ecb059c15178caed309a4861421d9f2436e70fb36fb1bf05e95d8d8d7c7e3 - BAT/Pterodo.SV!tr
3725f82661852d89874a3748302bbf27990d25fc10d28831f1ad35a6c6d3b4bd - LNK/Agent.GP!tr
46638ca3be6cdbd302e84c26bf14bfda6ed0c1353808914b40246c40fdb5b8ed - W32/Generic!tr
5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90 - W32/Generic!tr
6b5f4aea458fb737e213714b3dda51f31b03ccb53a6a0501ee608c1bfd0cebb7 - BAT/Pterodo.SV!tr
79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1 - VBA/Agent.ATF!tr.dldr
7ba638e8a53e6d1713b8f045c27170ef4a75c88197c57fffe227ca2ab05271e7 - BAT/Agent.GP!tr
842612d1afdf78cb8893018f3aeeec7df9f5f0ab245fe8e6d6b28519d0787937 - BAT/Pterodo.SV!tr
92b474f037796e67cd2f36199a95c9feff46af7e58f4d528567f3f0a857132bf - LNK/Agent.GP!tr
995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d - LNK/Agent.GP!tr
a67167f363c2501d6a1436e5f8c12693d7cf9d2f3ca1f71b21c292f041f91c7a - W32/Pterodo.RN!tr
3b50342b6cd96f400fbf7f00098a7dfcc9561037e4aa0bad8cfeafbb6f17923b - Riskware/PasswordProtected
c7bed1150d1b8b3b97454d1e47b6c246fffc471dd03d5a1d094bdf2d807b8e5e - LNK/Agent.GP!tr
d2bbecda830821ed3a00737c67fecb7985d612af58a31a1ee8488ad0409ed23b - LNK/Agent.GP!tr
e1e31702aad4bd7557a05906eb3004e9a72d77aa57e448379bee9a350cbba657 - BAT/Pterodo.SV!tr
ffc438d33f45ea56935f2bb6fca29e71862ecafb8b7e69ea19abd6df2d255075 - BAT/Pterodo.SV!tr
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.