Researchers say hackers calling themselves Luhansk People’s Republic (LPR) are behind a spear phishing-based malware campaign that’s been actively targeting the Ukrainian government.
The researchers, from FireEye, disclosed their assessment following their investigation into a malware-laced email that they were able to tie back to a 2018 phishing campaign designed to to deliver custom cyber espionage malware called RATVERMIN, aka Vermin. But based on an analysis of malware compilation times and domain resolutions, the group behind these attacks may have been active since as far back as 2014.
After the invasion of the Russian-supported 'green men' into the east of Ukraine, following the ousting of pro-Russian president Viktor Yanukovych, a group calling itself the LPR declared independence from Ukraine and remains in conflict with Kyiv.
In a blog post published yesterday, FireEye reports that the offending email, sent on 22 January, impersonated the UK-based defence manufacturer Armtrac. The supposed sender, who identifies himself as executive manager Alex Gallil, references potential business opportunities including those related to demining activities, ammunition recycling, and a border surveillance system.
The email included an 7-Zip attachment with three files: two innocuous Armtrac documents and a malicious LNK file impersonating a PDF document. The malicious file executes a PowerShell script that downloads a second-stage payload.
Although the researchers were unable to identify the payload, they were able to link the campaign to past activity. For starters, the C2 domain that was used to store the downloaded payload was registered using an email associated with 21 other domains that appear to impersonate legitimate Ukrainian websites such as news portals and political and business sites. Moreover, a 22nd domain was linked to the official website for LPR’s Ministry of State Security.
FireEye researchers also connected the email to a similar campaign in 2018, which used EXE and RAR files to deliver malware such as the open-source QUASARRAT (aka Quasar) as well as RATVERMIN. The latter, which is used exclusively by one threat group, is a Microsoft .NET-based custom program that’s composed of largely original code.
In a 29 January, 2018 blog post, Palo Alto Networks’ Unit 42 threat research group noted that RATVERMIN was being used against Ukrainian targets, and was capable of such functionality as keylogging; capturing screen images and audio; and manipulating, deleting and downloading files.
"This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian Government suggests a cyber-espionage motivation. This is supported by the ties to the so-called LPR’s security service," states the FireEye blog post, jointly written by researchers John Hultquist, Ben Read, Oleg Bondarenko and Chi-en Shen. "While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber-espionage capabilities, even to sub-state actors. While this specific group is primarily a threat to Ukraine, nascent threats to Ukraine have previously become international concerns and bear monitoring." It is not known what level of support, if any, the LPR gets from Russia, which supports the separatist movement in Russian speaking eastern Ukraine, or even whether this is actually a sub-state actor or a Russian front organisation.
The original version of this article was first published on SC Media US.