This blog post was authored by Ankur Saini, Roberto Santos and Hossein Jazi.
UAC-0056 also known as SaintBear, UNC2589 and TA471 is a cyber espionage actor that has been active since early 2021 and has mainly targeted Ukraine and Georgia. The group is known to have performed a wiper attack in January 2022 on multiple Ukrainian government computers and websites.
Earlier in March, Cert-UA reported UAC-0056 activity that targeted state organizations in Ukraine using malicious implants called GrimPlant, GraphSteel as well as CobaltStrike Beacon. Following up with that campaign, SOCPRIME and SentinelOne have reported some similar activities associated with this actor.
In late March, the Malwarebytes Threat Intelligence Team identified new activity from this group that targeted several entities in Ukraine, including ICTV, a private TV channel. Unlike previous attacks that were trying to convince victims to open a url and download a first stage payload or distributing fake translation software, in this campaign the threat actor is using a spear phishing attack that contains macro-embedded Excel documents. In this blog post, we provide a technical analysis of this new campaign.
Attack process
The following picture shows the overall attack procedure used by this actor. The attack starts with malicious documents sent as attachment to a phishing email. The document contains a malicious macro that drops an embedded payload within the document. The next stage payloads are being downloaded from the attacker server in Base64 format.
Phishing email
The actor has distributed phishing emails at least from March 23th to March 28th. The email subject is Заборгованість по зарплаті (wage arrears) and the body of all the emails is the same:
Заборгованість по зарплаті. Оновлюється автоматично. Просимо надіслати вашу пропозицію для скорочення заборгованості по зарплаті. (Wage arrears. Updated automatically. Please send your offer to reduce your salary arrears.)
Excel document:
The attached document has the same name as email subject “Заборгованість по зарплаті” and it seems the actor has used a legit document as decoy.
This document contains an embedded macro that drops the first stage payload called “base-update.exe”. The payload has been saved in a “very hidden sheet” named “SheetForAttachedFile”. The sheet contains the filename, the date the payload is attached (21th March 2022), the file size and the content of the attached file in hex format.
The macro reads the content of the embedded file in the hidden sheet and writes it into the defined location for this payload which is the “AppDataLocalTemp” directory. The macro used by the actor is taken from a website that described and provided code for a method to attach and extract the files from an Excel workbook.
Elephant Dropper (Base-Update.exe)
Elephant Dropper is the initial executable deployed in this attack; as the name suggests this is a simple dropper which deploys further stages. This executable is written in the Go programming language and is signed with a stolen Microsoft certificate. The strings in the binary suggest that it was actually named as Elephant Dropper by the attackers themselves.
It checks if the “C:Users{user}.java-sdk” directory exists on the system and creates it if it does not. The strings in the binary are encoded and are only decoded when they are required to be used.
The dropper decodes the C2 address from a string and then downloads a Base64 encoded binary from the C2 and writes it to “C:Users{user}.java-sdkjava-sdk.exe”. This downloaded binary is named as Elephant Downloader by the attackers judging from the strings present. java-sdk.exe is then executed by the dropper with the following arguments, “-a 0CyCcrhI/6B5wKE8XLOd+w==”. The argument “-a” refers to address and the Base64 string is the C2 address in AES encrypted format.
Elephant Downloader (java-sdk.exe)
Elephant Downloader is also written in the Go Programming Language and is executed by the Dropper. The main purpose of this payload is to maintain persistence on the system and also deploy the next two stages of the attack. The strings in this executable are encoded in the same way as in the Dropper. It makes itself persistent through the auto-run registry key. To do so, it creates a registry key under “SoftwareMicrosoftWindowsCurrentVersionRun” named as “Java-SDK” with value “C:Users{user}Desktopjava-sdk.exe -a 0CyCcrhI/6B5wKE8XLOd+w==”.
The downloader is responsible for getting the implant and the client; the URL paths for the payloads are stored in encoded form in the binary. It downloads the implant and the client from http://194.31.98.124:443/m and http://194.31.98.124:443/p respectively in Base64 encoded format.
After this, it decodes the file names which are stored as well in encoded format and creates the file in the earlier mentioned directory .java-sdk. The file name of the implant is oracle-java.exe and the client is microsoft-cortana.exe. The downloader executes both payloads and passes “-addr 0CyCcrhI/6B5wKE8XLOd+w==” as arguments to both. Again the Base64 string is the C2 address in AES encrypted format.
Elephant Implant (oracle-java.exe)
Elephant Implant (also tracked as GrimPlant backdoor) seems to be one of the most important payloads in this attack. This executable communicates with the C2 on port 80. Similar to earlier payloads, strings are encoded in the same fashion is in this binary as well, and it also gets the C2 address encrypted from its parent process. The implant makes use of gRPC to communicate with the C2, it has a TLS certificate embedded in the binary and makes use of SSL/TLS integration in gRPC. This allows the malware to encrypt all the data that is being sent to the C2 via gRPC.
The implant uses the MachineID library to derive a unique id for each machine. It also gets the IP address of the machine by making a request to “https://api.ipify.org/”.
It also collects information related to the OS in a function named GetOSInfo, as part of this the malware collects the hostname, OS name and number of CPUs in the system. A function named GetUserInfo collects the Name, Username and path to Home directory of the current user.
The Implant can communicate with the C2 by using 4 types of RPC requests:
- /Implant/Login – This is the initial RPC request that is sent to the C2. Along with this RPC request the earlier retrieved ID and system information is sent to the C2 as well.
- /Implant/FetchCommand – This RPC request is used to retrieve the command that the actor wants to execute on the target machine. The retrieved command is executed via “%windir%SysWOW64WindowsPowerShellv1.0powershell.exe“. An AdminId and Command to be executed is received as a response to this command.
- /Implant/SendCmdOutput – This is used to send the output of an executed command by sending a
SendCmdOutput RPC request to the C2. An AdminId and Command Output is sent with this request. - /Implant/Heartbeat – A Heartbeat RPC request is made to C2 to send the status to the C2 at regular intervals. The machine id and system info retrieved earlier is sent with this request.
Elephant Client (microsoft-cortana.exe)
The last payload that will be described is this blog is the one named elephant_client by the actor (also tracked as GraphSteel backdoor). The functionality suggests that this final payload is a data stealer.
Similar to other payloads in this attack chain, this payload receives the C2 server as a parameter in Base64 format (0CyCcrhI/6B5wKE8XLOd+w==) which is AES encrypted format of the server. Decoding the Base64 string gives us the C2 IP address in AES encrypted format: d02c8272b848ffa079c0a13c5cb39dfb
. The actor uses the following key to AES decrypt (ECB-NoPadding mode) the C2 address: F1D21960D8EB2FDDF2538D29A5FD50B5F64A3F9BF06F2A3C4C950438C9A7F78E
.
Once the sample has established its connection with its C2 server, it starts collecting data and exfiltrating them into the server. At first it collects some basic info about the user and send it to the server as shown in Figure 12. (some info has been removed for privacy). The collected data is Base64 encoded, and includes hostname, OS name(windows), number of CPUs, IP address, Name, Username and home directory.
After that, the client tries to steal credentials from the victim’s machine. The actor steals data from the following services:
- Browser credentials
- WiFi information
- Credentials manager data
- Mail accounts
- Putty connections data
- Filezilla credentials
We have installed some of these services for testing purposes. Figure 13 shows how the stolen data is being sent to C2 server:
Base64 decoding data shows what data has been exfiltrated:
For example, to recover Wifi data, the command netsh wlan show profiles
(that list all SSIDs saved in the machine) has been used. Once all the SSIDs are gathered, if any, it will launch the command netsh wlan show profile [SSID] key=clear
, revealing all saved wifi passwords:
The following image shows an example of the command execution, where you can see some of the commands executed in the process:
Figure 17 shows another example of exfiltration in which an encoded PowerShell command is used to steal the data from the Secure Vault:
In addition to stealing credentials, the actor steals all the files from the victim’s machine. To collect the data it iterates through all the files in the user directory and hashes each of them. All of these collected hashes will be sent to the actor’s C2 server. Finally, the malware will send to the attackers all these files.
Note that all the collected data are AES encrypted before being sent to C2 server, so packet inspection will not reveal any useful information.
Conclusion
UAC-0056 aka UNC2589, TA471, or SaintBear is an active actor that has been performing cyber espionage campaigns against Ukraine since 2021. The group is known to have performed the WhisperGate disruptive attack against Ukraine government entities in early 2022. Recently we have observed new activity associated with this actor that used macro-embedded excel documents to drop its malicious software on victims machines. In this blog we provided a technical analysis of this campaign.
The Malwarebytes Threat Intelligence team continues to monitor cyber attacks related to the Ukraine war. We are protecting our customers and sharing additional indicators of compromise.
IOCs
Emails:
1ce85d7be2e0717b79fbe0132e6851d81d0478dba563991b3404be9e58d745b1
58c93b729273ffa86ed7baa7f00ccd9664ab9b19727010a5a263066bff77cee8
ed0128095910fa2faa44e41f9623dc0ba26f00d84be178ef46c1ded003285ae3
Excel doc:
c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff
Elephant dropper (base-update.exe):
9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a
Elephant downloader (java-sdk.exe):
8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1
Elephant Implant (oracle-java.exe):
99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532
Elephant Client (microsoft-cortana.exe):
60bdfecd1de9cc674f4cd5dd42d8cb3ac478df058e1962f0f43885c14d69e816
C2:
194.31.98.124
The post New UAC-0056 activity: There’s a Go Elephant in the room appeared first on Malwarebytes Labs.