New RURansom Wiper Targets Russia
In recent days a new wiper targeting Russia, RURansom, is initially identified by the researchers of MalwareHunterTeam. The wiper’s developers named it RURansom. However, in contrast to the name, the malware is categorized as a wiper because encrypted files cannot be decrypted and permanently corrupt the encrypted files. Researchers at Cyble have done a deep-dive analysis of the RuRansom wiper and created a blog.
The malware is a .NET based binary and masquerades as Россия-Украина_Война-Обновление.doc.exe which means Russia-Ukraine_War-Update.doc.exe in English. The wiper encrypts all the files in the infected machine and deletes files with extension .bak. The files encrypted with randomly generated keys with length equal to base64 (“FullScaleCyberInvasion + ” + MachineName). The wiper developer is using the AES-CBC algorithm to encrypt the files.
While encrypting the files, the wiper drops ransom notes, as shown in Figure 1.
UAC-0051 group (unc1151) attacked state organizations of Ukraine using MicroBackdoor malware
The government of the Computer Emergency Response Team (CERT-UA) of Ukraine has shared an advisory about the recent attack on Ukrainian organizations. The Ukrainian government attributes this attack to Belarus-linked Advanced Persistent Threat (APT) group.
In the advisory, CERT-UA has identified a compressed file, namely dovidka.zip, containing a .chm file, a contextual help (Microsoft Compiled HTML Help) file. This .chm file further includes an image file and an html file with an embedded malicious VBScript. Additionally, the malicious VBScript drops another VBScript, namely ignit.vbs into the system.
This ignit.vbs drop three files, namely Windows Prefetch.lNk, desktop.ini, and core.dll. Windows Prefetch.lNk launches desktop.ini using wscript.exe, and desktop.ini then loads core.dll, a malicious .NET loader, using regasm.exe.
Finally, the loader decodes and executes the MicroBackdoor malware. Figure 2 below shows the contents of the .chm file.
Scammers Using War in Ukraine for Trying to Exploit People for Donations
Scammers often exploit humanitarian crises for extorting money. War in Ukraine is an opportunity for scammers. As people are trying to support the victims of the War on humanitarian grounds, scammers are creating fake websites to exploit people’s emotions.
Various websites are posting emotional appeals to the visitors for donating money for helping humanitarian and defense efforts in Ukraine. Figure 3 shows one such website shared by researcher @fr0s7_.
Emails with Indian names are used for Targeting Ukraine in malspam campaign
An advisory shared by the CERT-UA has mentioned in a Facebook post list of emails targeting Ukrainian targets. Figure 4 below shows the emails used for the campaign.
Other Important Trends
Apart from above mentioned cyber incidents, other threats are also highly active in cyberspace. These threats are mentioned as follows:
AgentTesla
There is a surge in spam activities, utilizing the war in Ukraine as a lure to target victims. AgentTesla is a notorious .NET-based RAT, operating since 2014. The AgentTesla uses a theme of the Russia/Ukraine conflict and spreading the email with the subject URGENT MEETING FOR ANNUAL FINANCIAL REPORTS REGARDING THE WAR IN UKRAINE. This email contains a compressed file, namely Company Financial Meeting.rar, which further includes AgentTesla payload product catalogue.exe. Figure 5 shows the screenshot of the email.
FormBook
FormBook uses the War in Ukraine to conduct the malspam campaign for mass compromise of Ukrainian targets. This email is written in the Ukrainian language pretending to inform the victims that the federal government is providing funds to citizens with subject лист схвалення касового забезпечення which in English translates to a letter of approval of cash security. In addition, the email has malicious macro attached лист підтримки.xlsx, which translates to support letter.xlsx. This malicious excel then drops the FormBook executable. Figure 6 shows the malspam email.
Subject: letter of approval of cash security
Body:
Dear citizens, we inform you that you are not alone in this difficult time, we in the authorities are doing everything possible to protect our citizens,
All citizens receive support from the federal government in the amount of 15,000 ₴, we want to say that you must protect each other, this is a difficult time for all, together with God we will fight this difficult time
Your letter of approval is attached
Sincerely.
Attachment: support letter.xlsx
QuasarRAT
Unknown threat actors are dropping QuasarRAT using the Ukraine and Russia conflict. In his recent Twitter post, researcher Jazihas identified one zip file, namely Ukraine Report_FINAL.zip containing pdf report Ukraine Report_FINAL.pdf and one malicious QuasarRAT executable Ukraine Report_FINAL.pdf.exe. Figure 7 shows the pdf file.
Conclusion
Russia-Ukraine conflict is being exploited by government state actors and cybercriminals, running mass compromise. States-sponsored threat actors are targeting both government and individuals with phishing emails as well as malware. We will see more such attacks on the same themes in the future. In most attacks, malicious macro-embedded XLS files are used with phishing emails.
Our researchers are continuously gathering more information on the latest cyberattacks, and we will keep updating this space as and when we have more information.
Indicators of Compromise (IoCs)
| Indicators | Indicator type | Description |
| 6cb4e946c2271d28a4dee167f274bb80 0bea48fcf825a50f6bf05976ecbb66ac1c3daa6b 979f9d1e019d9172af73428a1b3cbdff8aec8fdbe0f67cba48971a36f5001da9 | MD5 SHA1 SHA256 | RURansom.exe |
| fe43de9ab92ac5f6f7016ba105c1cb4e 27a16e1367fd3e943a56d564add967ad4da879d8 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae | MD5 SHA1 SHA256 | RURansom.exe |
| 9c3316a9ff084ed4d0d072df5935f52d c6ef59aa3f0cd1bb727e2464bb728ab79342ad32 696b6b9f43e53387f7cef14c5da9b6c02b6bf4095849885d36479f8996e7e473 | MD5 SHA1 SHA256 | RURansom.exe |
| 191e51cd0ca14edb8f06c32dcba242f0 fbeb9eb14a68943551b0bf95f20de207d2c761f6 610ec163e7b34abd5587616db8dac7e34b1aef68d0260510854d6b3912fb0008 | MD5 SHA1 SHA256 | dnWIPE.exe |
| 01ae141dd0fb97e69e6ea7d6bf22ab32 c35ab665f631c483e6ec315fda0c01ba4558c8f2 1f36898228197ee30c7b0ec0e48e804caa6edec33e3a91eeaf7aa2c5bbb9c6e0 | MD5 SHA1 SHA256 | RURansom.exe |
| 8fe6f25fc7e8c0caab2fdca8b9a3be89 a30bf5d046b6255fa2c4b029abbcf734824a7f15 107da216ad99b7c0171745fe7f826e51b27b1812d435b55c3ddb801e23137d8f | MD5 SHA1 SHA256 | RURansom.exe |
| e34d6387d3ab063b0d926ac1fca8c4c4 11f8ff086184c60b8d4e7d15ea458014cbbd349d b63a80660f94353112ba7071ea16ebbeb9de7cc14c278d1c4dee40bc231cb49c | MD5 SHA1 SHA256 | CERT-UA reference.zip |
| 2556a9e1d5e9874171f51620e5c5e09a affc2b19d9fb8080a7211c3ed0718f2c3d3887df 7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56 | MD5 SHA1 SHA256 | CERT-UA dovidka.chm |
| bc6932a0479045b2e60896567a37a36c 723129e2095236b4ace69cddc43c2c068a1208be 998b2d7d12aafe1aa99c17224cf157704b67853a58a0a6a00de776f2a2907b4a | MD5 SHA1 SHA256 | CERT-UA file.htm |
| bd65d0d59f6127b28f0af8a7f2619588 e6a4cb6bbca72eb659c5f03cde178712d5e9415c 92f69de0d45ad88654a6eef720a6f6b6db090afb67ba0eba5f9b77f504ea6280 | MD5 SHA1 SHA256 | CERT-UA ignit.vbs |
| fb418bb5bd3e592651d0a4f9ae668962 679e8f21c473a0551ff828e164a7ae3e26ca9d2a c76fb28b6910bb0714fab5b84363ebf2082fd59ddb0bb95166635583554d7ab4 | MD5 SHA1 SHA256 | CERT-UA Windows Prefetch.lNk |
| d2a795af12e937eb8a89d470a96f15a5 491214cc496f4a358856801d0381eb4926c07c59 e97f1d6ec1aa3f7c7973d57074d1d623833f0e9b1c1e53f81af92c057a1fdd72 | MD5 SHA1 SHA256 | CERT-UA core.dll (.NET-лоадер) |
| a9dcaf1c709f96bc125c8d1262bac4b6 | MD5 | CERT-UA desktop.ini |
| 65237e705e842da0a891c222e57fe095 | MD5 | CERT-UA microbackdoor.dll (MicroBackdoor) |
| fe43de9ab92ac5f6f7016ba105c1cb4e 27a16e1367fd3e943a56d564add967ad4da879d8 8f2ea18ed82085574888a03547a020b7009e05ae0ecbf4e9e0b8fe8502059aae | MD5 SHA1 SHA256 | RuRansom |
| gov-ua[.]net | Domain | Donation Scam |
| 584b3ed25c9a93a5582567357d513b8c db8e6c1b4730c2423f56808e3607a59bc7b49830 f367e39df6a218f5caaf4228dbea7a09111fbb95de48ec7bbfe31c8b8c8f970b | MD5 SHA1 SHA256 | RuRAT VuxnerChat.exe |
| 68dfcd6c336f7a20a8060b19fba07178 8effdb324ab667506604e217ab52ac11eb59c1da 2451544cf95302ca20dabd7e84a1c3d6e152e330db6576f5f43fbc711839959f | MD5 SHA1 SHA256 | RuRAT PerfService.lnk |
| 81e2830297b250268d3e9aeeda36570d ab8e8fb4ec19bf61018de8bc49c45597c07cb594 1770ab5e8bb82ea84e2c396086c5022841b6df16a8fd3cfd1fc042595a0c5ec9 | MD5 SHA1 SHA256 | RuRAT PerfStatus.bat |
| 5c1f7feae3e1d5143cf84e5cde9e9ee5 bbe74af89297d211af42ed154d4a549160dd1cd5 f86d674af9284ceb7d7ea6bd536bfd1bc66ea1cc2c0100f478702ddc99f300e9 | MD5 SHA1 SHA256 | RuRAT clickbutton.exe |
| 481c49351cfec4d0b70f28365b3cb2ad 94f3b050dd671400b5d5a38b17053f8821726532 8680c6a09b6fa30e43376828b3aaa1eb587a01ad9598065c5ebeea8148314cb7 | MD5 SHA1 SHA256 | RuRAT csettings.bat |
| 302539ac546a2b92f284012f8e00c2f4 55156d4badd82e63217dc1c4b39e70e628da4a45 0c15634eb43b0cbc51923a9e7ed68f1dc9639df3c53184a4c73066d0b292a23e | MD5 SHA1 SHA256 | RuRAT sanisinst.exe |
| f580dd7d29c0c4902bb81a7b4911e06e b99bfa8e56289040d0c2ad2d3afd7c2e7b372b45 1fd3626fe318806c41fe519fcedafdad884891a710ddd4328422375e3f3e4939 | MD5 SHA1 SHA256 | RuRAT set.bat |
| ec64d3d5d430772405071c3b6404b881 374a7c112bbb0ba725360207e213889b26872c10 963d0d5f86bdb7c95d169cadad792963e184d8c0a204a6eecc2f261c2ee408ca | MD5 SHA1 SHA256 | RuRAT suf_launch.exe |
| 8b1df5a245d627960ea4a745dfc71a32 9289373d45082d79e2457a860a4168f8c019a48d 3ba475a89a75afca5641f8091beed815755ef19ea28f71114a980eb545dcfd56 | MD5 SHA1 SHA256 | RuRAT tr.bat |
| 192.119.14[.]178 | IPV4 | RuRAT |
| 86.104.15[.]123 | IPV4 | RuRAT |
| vuxner[.]com | Domain | RuRAT |
| 3c2b39c5623591302c837c6b4749c7ab 577a4a12ee2becd2f961b2d0c83dfabf9ed99295 dc6d7cec32d08a230989985edb4f88461faab2a32fe3c1132656eb3ad747d20e | MD5 SHA1 SHA256 | AgentTesla |
| b05891bf3922e9cc321b5f238a622fd0 baf9a2dacb212f6cd9d83c3926d82fdb84670108 14a7610391a5c73d304a450d952975685353d5a18980e93d2ee33852afed984b | MD5 SHA1 SHA256 | AgentTesla |
| b2512314715762e0708b708a9f613b36 6fc74592ff34e36d862cfc82c7bd25e0b65b6139 87c25840f6213eccd898e8f107a604d3997308a5ad4f6437056a49800e030205 | MD5 SHA1 SHA256 | AgentTesla |
| 3be7150f3a9933ddc41e9b6d922f6c76 98f88bb4f30887d177df4fc763439174927737fd 0ff68c7565a2fc522c636409fce915339f899dcc3366f8f268f9a10a891131d5 | MD5 SHA1 SHA256 | AgentTesla |
| 738ef181693b359e7d08414532ca9d64 d790c821f13f9dce45f79a951c901f924eaefba5 e21e822f825fdbe8799297bdea5a7c5e1996762d0c29986376ef4e06ecc07d47 | MD5 SHA1 SHA256 | AgentTesla |
| e84a8c4d125e75b86a88dd454e4541d1 1abc9fe75c687a92bcc3129e04e1977cb7094764 09545369a3404723b5fa276fb92433e8240583e8397626b77047414755524f7b | MD5 SHA1 SHA256 | AgentTesla |
| fda3b560e19586cd712088958f1a0a88 930e8a160884b0705eabcf58b621e452515e5142 9daa74d08e9bd7c2637d15614f6d48cdbef10f0725a72d2778dc19ac26b88e31 | MD5 SHA1 SHA256 | AgentTesla |
| a3818e57d53c1912235ff096bd497c93 83fcc9b0ba32b18f53d5e6e8d055b3869adfec4d 6c31b05513988d26bffa02fa7b50821247552c9f138a933fbc6dbc3b2e23c8d2 | MD5 SHA1 SHA256 | AgentTesla |
| 7e9ac7efd23b8010035a7d1c4dc852ad bf1ae5890e10ed5c922748a173d80d3265264e86 0243602b6c6c1f42c3a67e5576df5634c241f0a1bb147d8cdc041d0ee4018c89 | MD5 SHA1 SHA256 | AgentTesla |
| 132d60e53a3f61499fbab41458337ade 2d178f91b3207e62f4dcdd60f487de5309209a6f 5e8c4a9e341dbabbce046d56cb9f750d57f018085609329221fc8af38b5fed54 | MD5 SHA1 SHA256 | AgentTesla |
| 28d00144ca945a160a5fb6c796a9c32c b8c9b2bc8523cf58e090f0b1609b67d8ccaf4e08 d813704a41efc0593ff96efd845522e362c898b0628138b77377f48fe73b89b1 | MD5 SHA1 SHA256 | FormBook |
| 00c8cb7d7b45c951a45b0852ddb3ff41 ebb73bc554f6d67b4f23492462fc35e49387ec67 0174bfe02866a6703f7871e3c1e3e93a4fe420d3e07ebe4239a5d05fd0c1de36 | MD5 SHA1 SHA256 | FormBook |
| 2fe412705a108f6188d2c27718cfd746 86014c689b308002781c1bcfd196785dadf4c886 65a68673d843ae668133928cce7f006e5f09fa52f26f844cf0cba8171a895878 | MD5 SHA1 SHA256 | FormBook |
| 7e9d74d95d5cc07156c999b241c9c899 26d2147fe0df68c115898d3989ca1f19e0d7d075 4576decdd7dcc696886756794b933c05c688a13456ec31919d0bfac3ca3a6302 | MD5 SHA1 SHA256 | FormBook |
| f6ebb5329384e29584180b13639a1a58 97bf47feb002ca0cfd9636384c9e71733de86480 69d816f6ac282605e70e8ac1078de58f6884dcc62a869b5a9f58450dee7263bc | MD5 SHA1 SHA256 | FormBook |
| 1d49e25b2e01d171c4b474a102906657 b8acaa60d4c00dbcac7d36c97ec6d3dd6d62c214 f900544a7e57ca8bcf2a305a72a070a0254ee174ed2f5deaa981dd114a6e8528 | MD5 SHA1 SHA256 | FormBook |
| 9cabc06c47b82704fd1b7f2bc179a3a8 83fe695a745fe1a0f81cf1ec71cde74a9d4b424d cb1b1d99cbf6d7bb1a30ec1c7ee31c36b8e19230751046688ad1a14b2fec4758 | MD5 SHA1 SHA256 | FormBook |
| 6cbcba435153e29981f263698dae8331 6755ad827614b5b63ea7bbbc88c834df898b1b4a bc7cf974c3cfb35a9e7f4abff78a9c68ae6a9ecb2eb78725adfd3ef6db6d6e0a | MD5 SHA1 SHA256 | FormBook |
| 70546f38493221036fa4704f272ca6da 33994e6316abe2f24c448d916fb53c5468d0f76e d0fd68de07eaddfd233b49bad8c222121ee284d8f783900d22e074accbcf7c2e | MD5 SHA1 SHA256 | FormBook |
| 02d8ff1023ffb18d7a5c12fe5f59c18d e65c02b78fc0027b811d56e6c5e9ad6d2a99abe6 93422cbf6d780209907414e93e1ecbb6f88cd55965323e44dd7871d06b9de458 | MD5 SHA1 SHA256 | FormBook |
| 11c6f8cc237951e997e74fc9b119cb23 9955c14589fae5098af8245422c2c3f5df83bc23 d2f320f9c10e21402fb3ffb1853b66b8f60502fe21c25e0336f572c4916274db | MD5 SHA1 SHA256 | QuasarRAT Ukraine Report_FINAL.zip |
| 3afb7c6e110117556f5f06460777a285 c7d74ac2844d056bef5f8a0cb5463dd4637b3b6a e5f6706d30125ed07b2093d911be25b838919b67662910120eac3246a548da8f | MD5 SHA1 SHA256 | QuasarRAT Ukraine Report_FINAL.pdf.exe |
| 743295dc257f5ee940d1ef3ce60ff9b7 05a74675be18867a52ed5a5e17d47aaf594995b3 7c641097fd5fb70c9bcb13dc11a1e9c5a3c0c20b045a8413512b6ee203319e02 | MD5 SHA1 SHA256 | QuasarRAT Ukraine Report_FINAL.pdf.exe |
Our Recommendations
- Keep the operating system and installed software in the system and server updated.
- Minimize network exposure for all serial devices using network segmentation and the placement of serial devices behind network firewalls to ensure that they are not accessible via the Internet.
- Conduct regular backup practices and maintain backups offline or in a separate network.
- Use security solutions available for Linux and IoT devices.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
- Create and save your passwords with password managers.
- Change all internet-connected devices’ default passwords.