Rewterz Threat Alert – GhostWriter Targeting Organizations of Ukraine – Active IOCs – Russian-Ukrainian Cyber Warfare

Severity

High

Analysis Summary

The government team for responding to computer emergencies in Ukraine CERT-UA found RAR-archive “Диверсанти.rar”, which contains RAR-archive “Диверсанти 21.03.rar”, which, in turn, contains SFX-archive “Диверсанти filercs.rar” (to mask the extension, the file name contains the right-to-left override (RTLO) character).

The archive contains documents and images of the bait, as well as VBScript code (Thumbs.db), which will create and run the .NET program “dhdhk0k34.com”. As a result, the computer will be affected by the malicious program Cobalt Strike Beacon. – CERT-UA

Cert-UA has associated this activity, with average confidence, to the GhostWriter group.

GhostWriter is a state-sponsored threat group targeting individuals in Poland, Latvia, and Lithuania. The group has now been linked to UNC1151. The campaign by the threat group started in mid-2020 and now the actors responsible for these attacks are being associated with UNC1151. UNC1151 is a state-sponsored APT group partaking in malware campaigns and credential harvesting attacks. UNC1151 – a Minsk-based threat group – has been targeting Ukrainian government officials and military personnel with mass phishing emails. After the account is compromised, the attackers, by the IMAP protocol, get access to all the messages. Later, the attackers use contact details from the victim’s address book to send the phishing emails.

Impact

• Information Theft and Espionage
• Cyber Espionage

Indicators of Compromise

Domain Name

• ao3[.]hmgo[.]pw
• hmgo[.]pw

Filename

• Диверсанти[.]rar
• Diversants21[.]03[.]rar
• Диверсанти21[.]03[.]rar
• Saboteursfilerar[.]scr
• Диверсантиfiler‮rar[.]sc
• Thumbs[.]db
• dhdhk0k34[.]com
• Skype[.]exe

MD5

• e4b54ee2f0068762179e7e514d90bf16
• 4a78df33d4f987103dc0c0f3a302b8cb
• bcdab4ae622811f699765bfb9cb909d2
• b5525108912ee8d5f1519f1b552723e8
• 3303286735a07ae5d14db9c12843d44e
• 18e73cc3d5eda742530ba3fef59e3943

SHA-256

• fbabc4e5a6470606fc64c39c182b5a7a71f8fa96f50c67725d52abf184f75fd4
• 59ed536e1955e310f321435d43ca8b60cb3746514f3c3ea951d43633cacbe7bc
• 6149680c8541980d46c17681e37e4751e2baca1d13ee648b8188dfb24bf56f7c
• d324d7f30984931176ff878a81c7c1f4f979ad3d759c7f33427bba10d9deb1f6
• f98e1e61c84a5ed098e7481ab339e2881195f4d1b101c92b81113eb7ff56e63d
• 37e644deee0add76bac9c5121355a03a459b1a97917383765bf3df94e9af7e29

SHA-1

• f3f68b4bfdeb4d4cae5e05b66ca9c93e02f467ea
• 86063f8ed3331987b42a5fc256e26abfb174b48a
• 04bc53294ed74b6630c20c02afbc97f2772e2e31
• 426d8a2289a234de5f647950a745fe228ca6d495
• 18a590741330ec1968b229a1acdba2f08151909c
• 5ac79ec558347889d54d69e8e24e011683a58520

URL

• https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works
• https[:]//ao3[.]hmgo[.]pw/tags/Akihabara@TODEEP/works/update

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.
• Always be suspicious about emails sent by unknown senders.
• Never click on links/attachments sent by unknown senders.