Full Report
Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks
Analysis Summary
# Threat Actor: Unnamed Russian-Origin APT Group
## Attribution & Identity
* **Attribution:** Threat actors of Russian origin.
* **Known Aliases and Associated Groups:** The activity shows links to tools previously used by subgroups of the Russia-linked Sandworm crew (specifically the web shell `Localolive`), though the reporting organization explicitly states they could not find direct evidence connecting *this* specific intrusion to Sandworm.
## Activity Summary
The threat actors targeted Ukrainian entities over consecutive periods: one large business services organization for two months and a local government entity for one week. The primary goal was data exfiltration and establishing persistence. Initial access was achieved by deploying web shells on public-facing servers, suspected to be through the exploitation of unpatched vulnerabilities. The activity demonstrated stealth, relying heavily on Living-Off-The-Land (LotL) tactics and dual-use tools, which helped them remain undetected.
## Tactics, Techniques & Procedures
This actor heavily leveraged LotL and dual-use tools, minimizing custom malware implantation to reduce digital footprints.
* **Initial Access:** Deploying web shells (e.g., `Localolive`) on public-facing servers, likely via unpatched vulnerabilities.
* **Persistence & Evasion:**
* Excluding the Downloads folder from Microsoft Defender Antivirus scans using PowerShell commands.
* Setting up a scheduled task (`link.ps1`) to run every 30 minutes using a domain account.
* Deploying legitimate tools like MikroTik's `winbox64.exe` for potential malicious use.
* **Reconnaissance & Discovery:**
* Enumerating files in user directories.
* Running commands to list running processes starting with "kee," suggesting targeting of KeePass password vaults.
* Retrieving information about Windows configuration via PowerShell.
* Listing active user sessions.
* Performing memory dumps using the Microsoft Windows Resource Leak Diagnostic tool (`RDRLeakDiag`).
* **Credential Access & Lateral Movement:**
* Saving a copy of the registry hive (`1.log`).
* Modifying the registry to permit inbound RDP connections.
* Running `RDPclip` to gain clipboard access during RDP sessions.
* Installing OpenSSH to facilitate remote access, including opening TCP port 22.
* **Payload Delivery:** Used the `Localolive` web shell to facilitate the delivery of next-stage payloads, including `Chisel`, `plink`, and `rsockstun`.
## Targeting
* **Sectors:** Business Services, Local Government.
* **Geography:** Ukraine.
* **Victims:** A large business services organization (targeted for two months) and a local government entity (targeted for one week).
## Tools & Infrastructure
* **Malware Families Used:** `Localolive` (web shell), PowerShell backdoors (unknown source), unknown Python script.
* **Dual-Use/Legitimate Tools:** `Chisel`, `plink`, `rsockstun`, `winbox64.exe` (MikroTik router management application), PowerShell, RDRLeakDiag, OpenSSH.
* **Infrastructure (C2, domains, IPs):** No specific C2 infrastructure (URLs or IPs) was detailed as being obtained for analysis, though persistence involved scheduled tasks and backdoors.
## Implications
The actor demonstrates a high degree of sophistication by prioritizing stealth through the heavy use of LotL techniques, effectively blending malicious activity with legitimate system administration tasks. This makes detection significantly challenging, especially for resource-constrained security teams relying solely on traditional signature-based defenses or malware analysis. The focus on critical infrastructure components (government, business services) and data exfiltration suggests espionage or disruption objectives.
## Mitigations
* Implement stringent monitoring and behavioral analysis for excessive use of legitimate tools like PowerShell, RDP, and registry manipulation, especially when combined with suspicious file creation (e.g., in the Downloads folder).
* Prioritize the patching of all public-facing internet services to prevent initial access via web shell deployment.
* Review and restrict scheduled task creation, particularly when associated with domain accounts executing PowerShell scripts.
* Monitor for the installation of remote access tools like OpenSSH and unauthorized firewall rule changes (e.g., port 22 being opened).
* Monitor registry hives and memory for signs of sensitive data collection.