Full Report
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed a new set of cyber attacks targeting Ukrainian institutions with information-stealing malware. The activity is aimed at military formations, law enforcement agencies, and local self-government bodies, particularly those located near Ukraine's eastern border, the agency said. The attacks involve distributing phishing emails
Analysis Summary
# Incident Report: Multiple Threat Actor Activities Targeting Ukrainian and European Entities
## Executive Summary
Multiple sophisticated cyber campaigns were identified targeting Ukrainian governmental, military, and law enforcement institutions, as well as European government and military organizations. Attackers utilized phishing emails with malicious Excel documents to deploy information-stealing malware (GIFTEDCROOK) in one campaign, and signed RDP files to establish covert remote connections for espionage in another. The impact includes the potential theft of sensitive documents, credentials, and browsing data from compromised entities. Response involved attribution and public disclosure by CERT-UA and threat intelligence partners.
## Incident Details
- Discovery Date: Ongoing (Specific reports dated October 2024 onwards)
- Incident Date: Ongoing (Activity spans several months)
- Affected Organization: Ukrainian Military Formations, Law Enforcement Agencies, Local Self-Government Bodies, European Government and Military Organizations.
- Sector: Government, Military, Law Enforcement
- Geography: Ukraine (Eastern Border focus) and Europe
## Timeline of Events
### Initial Access
- Date/Time: Not explicitly stated, ongoing campaigns.
- Vector: Phishing emails containing malicious Microsoft Excel Spreadsheets (XLSM) or signed .RDP file attachments.
- Details:
* **Campaign 1 (UAC-0226):** Emails used compelling subjects (demining, UAV production, fines) sent from compromised accounts to assure legitimacy.
* **Campaign 2 (APT29/UNC5837):** Used signed RDP files to initiate remote connections.
### Lateral Movement
- **Campaign 1 (UAC-0226):** A PowerShell script (from PSSW100AVB repository) opened a reverse shell, likely facilitating further internal movement after initial execution.
- **Campaign 2 (APT29/UNC5837):** Utilized creative RDP techniques, specifically RemoteApps and resource redirection, to execute adversary-controlled applications and map victim file systems onto attacker servers.
### Data Exfiltration/Impact
- **Campaign 1 (UAC-0226):** Deployment of the GIFTEDCROOK stealer designed to steal cookies, browsing history, and authentication data from Chrome, Edge, and Firefox.
- **Campaign 2 (APT29/UNC5837):** Primary objective was espionage and file stealing. Attackers likely read victim drives, stole files, captured clipboard data (including passwords), and obtained environment variables, potentially using PyRDP automation.
### Detection & Response
- **Detection:** Identified and reported by CERT-UA, Google Threat Intelligence Group (GTIG), Amazon Web Services, and Microsoft.
- **Response Actions:** Public disclosure by CERT-UA (UAC-0226 and UAC-0215 tracking). GTIG reported on the UNC5837 TTPs.
## Attack Methodology
| Category | Campaign 1 (Phishing/GIFTEDCROOK - UAC-0226) | Campaign 2 (RDP/UNC5837 - UAC-0215/APT29) |
| :--- | :--- | :--- |
| **Initial Access** | Macro-enabled XLSM spreadsheet attachment via phishing email. | Signed .RDP file attachments. |
| **Persistence** | PowerShell script execution following macro enablement. | Establishing a persistent RDP connection using resource redirection. |
| **Privilege Escalation** | Not explicitly detailed, but required user interaction (enabling macros). | Not explicitly detailed, but gaining access via RDP implies required user permissions. |
| **Defense Evasion** | Use of PowerShell script sourced from an AV-bypass repository (PSSW100AVB). | Disguising command execution as legitimate RDP sessions/RemoteApps. |
| **Credential Access** | GIFTEDCROOK steals browser stored authentication data and cookies. | Clipboard capture and file system access capable of capturing passwords. |
| **Discovery** | Reverse shell established post-execution. | Reading victim drives and obtaining environment variables. |
| **Lateral Movement** | Reverse shell execution suggests potential for C2 command dissemination. | Leverage RDP resource redirection and RemoteApps to interact with the victim environment. |
| **Collection** | Stealing browser data (cookies, history, authentication). | Stealing general files from victim drives and clipboard contents. |
| **Exfiltration** | Conducted by GIFTEDCROOK stealer (method not detailed). | Likely automated via PyRDP for file exfiltration. |
| **Impact** | Theft of sensitive user credentials and browsing data. | Espionage, system reconnaissance, and large-scale file theft. |
*(Note: A third campaign involving fake CAPTCHAs/Cloudflare Turnstile delivering Legion Loader and a rogue browser extension "Save to Google Drive" was mentioned but not fully integrated into the primary timeline due to lack of specific target/impact details matching the main reports above.)*
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Sensitive data theft including browser cookies, browsing history, authentication data, files from victim drives, and clipboard contents (including passwords).
- **Operational:** Potential disruption due to malware execution and lateral movement capabilities.
- **Reputational:** Significant risk due to targeting of military and government entities.
## Indicators of Compromise
*Note: Actual indicators are defanged for safety.*
- **Network Indicators:** Connection attempts associated with reverse shell C2 infrastructure (if derived from PSSW100AVB use).
- **File Indicators:** Malicious XLSM files; PowerShell scripts derived from the PSSW100AVB repository; GIFTEDCROOK malware binary. Signed .RDP files.
- **Behavioral Indicators:** User enabling macros on seemingly legitimate documents; Unintended execution of PowerShell scripts; RDP resource redirection not matching standard administrative behavior.
## Response Actions
- **Containment:** Not explicitly detailed, assumed to involve isolating affected systems once identified.
- **Eradication:** Removal of GIFTEDCROOK malware and associated PowerShell scripts; Revoking credentials potentially compromised by the stealer.
- **Recovery:** Restoring systems and ensuring the RDP connection mechanism is blocked (if related to UNC5837). Reissuing credentials.
## Lessons Learned
- User training remains critical, as social engineering via contextual phishing (demining, fines, etc.) is highly effective for macro execution.
- Attackers are creatively misusing legitimate tools (RDP redirection) and readily available open-source code (PSSW100AVB) to achieve initial access and maintain covert operations.
- The use of compromised legitimate email accounts for sending phishing emails increases the perceived trustworthiness of the initial lure.
## Recommendations
- Enhance macro security policies (e.g., blocking macros from the internet), enforcing the use of Protected View or disabling macros by default unless validated.
- Increased scrutiny on unusual RDP usage patterns, specifically monitoring for resource redirection and RemoteApp executions originating from unexpected sources.
- Implement advanced endpoint detection capable of detecting PowerShell activity sourced from unusual repositories or exhibiting AV evasion characteristics.
- Review and restrict clipboard sharing configurations in remote access services if possible.