Avatar

Below research is reflecting our observations during month of March 2022. We also would like to thank Maria Jose Erquiaga for her contribution in introduction and support during the process of writing.


Overview

As the Russian-Ukrainian war continues over conventional warfare, cybersecurity professionals witnessed their domain turning into a real frontier. Threat actors picking sides [1], group members turning against each other [2], some people handing out DDoS tools [3], some people blending in to turn it into profit [4], and many other stories, proving that this new frontier is changing daily, and its direct impact is not limited to geographical boundaries.

While attacks seem to be evolving daily, it is challenging for one to stay up to date with all that is going around. Therefore, we believe that it is important to distinguish between information and actionable intelligence. In Cisco Global Threat Alerts, we would like to share our observations related to this conflict during March of 2022 and discover how we can turn them into actionable intelligence together.

Threat Actors in the Russian-Ukrainian Conflict

Since the rapid escalation of the conflict in 2022, security researchers and analysts have been gathering information regarding the adversarial groups, malware, techniques, and types of attacks implemented [1, 5, 6]. Some of the groups and malware related to the conflict are described in Table 1:

Threat Actor Malware Location
Gamaredon [7] Pteranodon [8] Crimea
Sandworm [9] CyclopsBlink [10] Russia
WizardSpider [11] Cobalt Strike [12], Emotet [13], Conti [14], Ryuk [15], Trickbot [16] Russia

Table 1: Threat actors and their relations

Gamaredon

Gamaredon group, also known as Primitive Bear, Shuckworm and ACTINIUM, is an advanced persistent threat (APT) based in Russia. Their activities can be traced back as early as 2013, prior to Russia’s annexation of the Crimean Peninsula. They are known to target state institutions of Ukraine and western government entities located in Ukraine. Ukrainian officials attribute them to Russian Federal Security Service, also known as FSB [17].

Gamaredon often leverages malicious office files, distributed through spear phishing as the first stage of their attacks. They are known to use a PowerShell beacon called PowerPunch to download and execute malware for ensuing stages of attacks. Pterodo and QuietSieve are popular malware families that they deploy for stealing information and various actions on objective [18].

We were able to collect network IoC’s related to Gamaredon infrastructure. During our initial analysis, most of the indicators were not attributed directly to any specific malware and they were rather listed as part of Gamaredon’s infrastructure. Therefore, we wanted to analyze their infrastructure to understand their arsenal and deployment in greater detail.

Network Infrastructure

The first part of this research is focused on WHOIS record analysis. We observed that Gamaredon domains were dominantly registered by REG[.]RU. Creation dates are going back as early as February 2019 and have a changing pattern for the registrant email. Until August 2020, we observed that message-yandex.ru@mail[.]ru was the main registrant email. Later, it shifted to macrobit@inbox[.]ru, mixed with the occasional usage of message-yandex.ru@mail[.]ru and tank-bank15@yandex[.]ru. Domain creation dates in some of the WHOIS records are as recent as March 2022.

Other than WHOIS information, the domains we observed that were related to Gamaredon campaigns had a distinguishing naming convention. While dataset consisted of domain names (without TLDs) varying between 4 to 16 characters, 70% percent of them were between 7 to 10 characters. Combined with a limited group of top-level domains (TLDs) used (see Table 2), this leads us to a naming pattern for further attribution. Additionally, the usage of TLDs on domain creation seems to be rotating.

TLD Distribution TLD Usage
online 42.07% 08/2020-02/2021,02/2022
xyz 29.47% 06/2022-08/2022, 02/2022-03/2022
ru 14.22% 08/2020, 05/2021-02/2022
site 8.94% 07/2020-02/2021
space 2.64% 02/2019-06/2020

Table 2: TLD distribution and time in use

In the case of domain resolutions, we aimed to analyze the distribution of autonomous system numbers (ASN) used by resolved IP addresses (see Table 3). Once more, the owner REG[.]RU is leading the list, owning most of the domains. TimeWeb was the second this time, with 28% of the domains we found to be related to Gamaredon activities. Domains having ‘. online’ and ‘.ru’ TLDs are regularly updating their IP resolutions, almost daily.

Owner ASN Popular Networks Distribution
REG.RU, Ltd AS197695 194.67.71.0/24
194.67.112.0/24
194.58.100.0/24
194.58.112.0/24
194.58.92.0/24
89.108.81.0/24
45.93%
TimeWeb Ltd. AS9123 185.104.114.0/24
188.225.77.0/24
188.225.82.0/24
94.228.120.0/24
94.228.123.0/24
28.25%
EuroByte LLC AS210079 95.183.12.42/32 10.56%
AS-CHOOPA AS20473 139.180.196.149/32 5.08%
LLC Baxet AS51659 45.135.134.139/32
91.229.91.124/32
2.23%
System Service Ltd. AS50448 109.95.211.0/24 1.82%

Table 3: Distribution of IP addresses per ASN and owner

Tooling

After understanding the infrastructure, let’s proceed with their arsenal. We looked at associated file samples for the domains through Umbrella and Virustotal. A sample of the results can be seen below. Referring to a file type, we can see that the Gamaredon group prefers malicious office documents with macros. Also, they are known to use Pterodo, which is a constantly evolving custom backdoor [8, 18].

Domain Hash Type Malware
acetica[.]online 4c12713ef851e277a66d985f666ac68e73ae21a82d8dcfcedf781c935d640f52 Office Open XML Document Groooboor
arvensis[.]xyz 03220baa1eb0ad80808a682543ba1da0ec5d56bf48391a268ba55ff3ba848d2f Office Open XML Document Groooboor
email-smtp[.]online 404ed6164154e8fb7fdd654050305cf02835d169c75213c5333254119fc51a83 Office Open XML Document Groooboor
gurmou[.]site f9a1d7e896498074f7f3321f1599bd12bdf39222746b756406de4e499afbc86b Office Open XML Document Groooboor
mail-check[.]ru 41b7a58d0d663afcdb45ed2706b5b39e1c772efd9314f6c1d1ac015468ea82f4 Office Open XML Document Groooboor
office360-expert[.]online 611e4b4e3fd15a1694a77555d858fced1b66ff106323eed58b11af2ae663a608 Office Open XML Document Groooboor
achilleas[.]xyz f021b79168daef8a6359b0b14c0002316e9a98dc79f0bf27e59c48032ef21c3d Office Open XML Document Macro enabled Word Trojan
anisoptera[.]online 8c6a3df1398677c85a6e11982d99a31013486a9c56452b29fc4e3fc8927030ad MS Word Document Macro enabled Word Trojan
erythrocephala[.]online 4acfb73e121a49c20423a6d72c75614b438ec53ca6f84173a6a27d52f0466573 Office Open XML Document Macro enabled Word Trojan
hamadryas[.]online 9b6d89ad4e35ffca32c4f44b75c9cc5dd080fd4ce00a117999c9ad8e231d4418 Office Open XML Document Macro enabled Word Trojan
intumescere[.]online 436d2e6da753648cbf7b6b13f0dc855adf51c014e6a778ce1901f2e69bd16360 MS Word Document Macro enabled Word Trojan
limosa[.]online 0b525e66587e564db10bb814495aefb5884d74745297f33503d32b1fec78343f MS Word Document Macro enabled Word Trojan
mesant[.]online 936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a MS Word Document Macro enabled Word Trojan
sufflari[.]online 13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36 MS Word Document Macro enabled Word Trojan
apusa[.]xyz 23d417cd0d3dc0517adb49b10ef11d53e173ae7b427dbb6a7ddf45180056c029 Win32 DLL Pterodo
atlanticos[.]site f5023effc40e6fbb5415bc0bb0aa572a9cf4020dd59b2003a1ad03d356179aa1 VBA Pterodo
barbatus[.]online 250bd134a910605b1c4daf212e19b5e1a50eb761a566fffed774b6138e463bbc VBA Pterodo
bitsadmin2[.]space cfa58e51ad5ce505480bfc3009fc4f16b900de7b5c78fdd2c6d6c420e0096f6b Win32 EXE Pterodo
bitsadmin3[.]space 9c8def2c9d2478be94fba8f77abd3b361d01b9a37cb866a994e76abeb0bf971f Win32 EXE Pterodo
bonitol[.]online 3cbe7d544ef4c8ff8e5c1e101dbdf5316d0cfbe32658d8b9209f922309162bcf VBA Pterodo
buhse[.]xyz aa566eed1cbb86dab04e170f71213a885832a58737fcab76be63e55f9c60b492 Office Open XML Document Pterodo
calendas[.]ru 17b278045a8814170e06d7532e17b831bede8d968ee1a562ca2e9e9b9634c286 Win32 EXE Pterodo
coagula[.]online c3eb8cf3171aa004ea374db410a810e67b3b1e78382d9090ef9426afde276d0f MS Word Document Pterodo
corolain[.]ru 418aacdb3bbe391a1bcb34050081bd456c3f027892f1a944db4c4a74475d0f82 Win32 EXE Pterodo
gorigan[.]ru 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 Win32 EXE Pterodo
gorimana[.]site 90cb5319d7b5bb899b1aa684172942f749755bb998de3a63b2bccb51449d1273 MS Word Document Pterodo
krashand[.]ru 11d6a641f8eeb76ae734951383b39592bc1ad3c543486dcef772c14a260a840a Win32 EXE Pterodo
libellus[.]ru 4943ca6ffef366386b5bdc39ea28ad0f60180a54241cf1bee97637e5e552c9a3 Win32 EXE Pterodo
melitaeas[.]online 55ad79508f6ccd5015f569ce8c8fcad6f10b1aed930be08ba6c36b2ef1a9fac6 Office Open XML Document Pterodo
mullus[.]online 31afda4abdc26d379b848d214c8cbd0b7dc4d62a062723511a98953bebe8cbfc Win32 EXE Pterodo
upload-dt[.]hopto[.]org 4e72fbc5a8c9be5f3ebe56fed9f613cfa5885958c659a2370f0f908703b0fab7 MS Word Document Pterodo

Table 4: Domains, files (hash and type), and malware name associated to the Gamaredon group

After reviewing the behaviors of the associated malicious samples, it is easier to build attribution between the malicious domain and the corresponding sample. IP addresses resolved by the domain are later used to establish raw IP command and control (C2) communication with a distinguishing URL pattern. The following example shows how 1c7804155248e2596ec9de97e5cddcddbafbb5c6d066d972bad051f81bbde5c4 resolves gorigan[.]ru and uses its IP address to build a C2 URL (http|https<IP>/<random alphanumerical string>). Therefore, DNS and outgoing web traffic is crucial for its detection.

Figure 1: IP address resolutions of gorigan[.]ru
Figure 2: URL connections to resolved IP addresses (source: Virustotal)

Detecting Gamaredon Activity with Global Threat Alerts 

In Cisco Global Threat Alerts, we are tracking the Gamaredon group under the Gamaredon Activity threat object. The threat description is enriched with MITRE references (see Figure 3).

Figure 3: Threat description of Gamaredon activity, including MITRE techniques and tactics (source: Cisco Global Threat Alerts)

Figure 4 shows a detection sample of Gamaredon activity. Observe that the infected device attempted to communicate with the domains alacritas[.]ru, goloser[.]ru, and libellus[.]ru, which seemed to be sinkholed to the OpenDNS IP address of 146.112.61.[.]107.

Figure 4: Gamaredon group detection example (source: Cisco Global Threat Alerts)

Conclusion

We’ve walked through the steps of producing intelligence from information we’ve collected. We began our analysis with an unattributed list of network IoC’s and were able to identify unique patterns in their metadata. Then, we pivoted to endpoint IoC’s and attributed domains to malware families. Next, we showed how we turned it into a detection of the Gamaredon group displayed in the Cisco Global Threat Alerts portal.

For your convenience, here’s a summary of the intelligence we developed in this blog post:

Aliases Primitive Bear, Shuckworm, ACTINIUM
Type Threat Actor
Originating From Russia
Targets Ukranian State Organizations
Malware used Pterodo, Groooboor
File Type Macro enabled office files, Win32 Exe, VBA
TLD’s used .online, .xyz, .ru, .site, .space
ASN’s used REG.RU, Ltd, TimeWeb Ltd., EuroByte LLC, AS-CHOOPA, LLC Baxet, System Service Ltd.

 

References

[1] Cyber Group Tracker: https://cyberknow.medium.com/update-10-2022-russia-ukraine-war-cyber-group-tracker-march-20-d667afd5afff

[2] Conti ransomware’s internal chats leaked after siding with Russia: https://www.bleepingcomputer.com/news/security/conti-ransomwares-internal-chats-leaked-after-siding-with-russia/

[3] Hackers sound call to arms with digital weapon aimed at Russian websites: https://cybernews.com/news/hackers-sound-call-to-arms-with-digital-weapon-aimed-at-russian-websites/

[4] Threat advisory: Cybercriminals compromise users with malware disguised as pro-Ukraine cyber tools: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html

[5] Ukraine-Cyber-Operations: https://github.com/curated-intel/Ukraine-Cyber-Operations

[6] What You Need to Know About Russian Cyber Escalation in Ukraine: https://socradar.io/what-you-need-to-know-about-russian-cyber-escalation-in-ukraine/

[7] Gamaredon: https://attack.mitre.org/groups/G0047/

[8] Pteranodon: https://attack.mitre.org/software/S0147/

[9] Sandworm: https://attack.mitre.org/groups/G0034/

[10] Threat Advisory: Cyclops Blink: https://blog.talosintelligence.com/2022/02/threat-advisory-cyclops-blink.html

[11] Wizard Spider: https://attack.mitre.org/groups/G0102/

[12] Cobalt Strike: https://attack.mitre.org/software/S0154

[13] Emotet: https://attack.mitre.org/software/S0367

[14] Conti: https://attack.mitre.org/software/S0575

[15] Ryuk: https://attack.mitre.org/software/S0446

[16] TrickBot: https://attack.mitre.org/software/S0446

[17] Technical Report Gamaredon/Armageddon group: https://ssu.gov.ua/uploads/files/DKIB/Technical%20report%20Armagedon.pdf

[18] ACTINIUM targets Ukrainian organizations: https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn



Authors

Onur Mustafa Erdogan

Security Research Engineer

Cognitive Intelligence