A known Russia-linked threat group has been targeting an array of organizations in Ukraine - including government, military, law enforcment, non-profit and judiciary entities - in an attempt to steal sensitive data.
Microsoft detailed several malware campaigns over the past six months by the Actinium threat group (also known as Gamaredon or Primitive Bear). This group has been operational for almost a decade, with several researchers over the years noting that the group’s operations align with Russian interests. In November, the Security Service of Ukraine (SSU) publicly attributed the group’s leadership to the Russian Federal Security Service (FSB).
In a Friday analysis, Microsoft highlighted several tactics, techniques and procedures (TTPs) that have been consistently used by Actinium in its recent campaigns to help sidestep detection, though researchers warned that the actor’s tactics are constantly evolving.
“Since October 2021, Actinium has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis,” said Microsoft researchers in the analysis.
Threat Group TTPs
As an initial attack vector, the threat actor typically uses spear-phishing emails, which pretend to be from legitimate organizations, but actually contain malicious macro attachments. One observed email, for instance, purported to be the World Health Organization (WHO) and attached a legitimate who.int situational Covid-19 report that had been published in July 27, 2021.
When victims click on these attachments, the attackers use a technique called remote template injection, where a remote document template is loaded containing malicious code. From there, a first-stage payload is downloaded and executes further payloads. Because the malicious content is only loaded when the user opens the document, attackers have a better chance at avoiding detection, said researchers.
“This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content,” said Microsoft researchers. “Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.”
In another effort to evade detection, Actinium’s operational infrastructure used for payload staging and command-and-control (C2) is spread widely across many domains and hosts, with its domain name DNS records also frequently changing; researchers observed the threat group using 25 new unique domains and 80 unique IP addresses over 30 days. The group's malware often uses randomized subdomains for C2, which have included a wordlist consisting of English words as part of the randomized generation process. This makes the domains appear more legitimate and throws a wrench into network defense tools that rely on domain name blocks. The wordlist appears to be used to obfuscate other parts of the attacks, said researchers, including the naming of payloads, as well as for scheduled tasks, file names and folder names.
Microsoft researchers also pointed to a variety of heavily-obfuscated malware families used by the threat actor, including the PowerPunch downloader, which relies on data from the compromised host to inform encryption of the next stage; as well as a .NET binary called QuietSieve that is geared toward file exfiltration and monitoring. The attackers also frequently use Pterodo, a constantly-evolving malware that has a full range of capabilities aiming to make analysis difficult.
“A couple of features play a direct role in this malware’s ability to evade detection and thwart analysis: its use of a dynamic Windows function hashing algorithm to map necessary API components, and an 'on-demand' scheme for decrypting needed data and freeing allocated heap space when used,” said researchers.
The research comes as tensions between Russia and Ukraine have continued to escalate since November. A number of cyberattacks were launched against Ukrainian organizations in January, such as one that led to a number of government websites being defaced; and a wiper malware attack on Ukrainian organizations and officials. The wiper attacks utilized the WhisperGate malware in an effort to overwrite the master boot record (MBR) of infected computers and wipe out all of their data.
Microsoft’s analysis follows new research last week by Palo Alto Networks’ Unit 42 team, which exposed an attempt by the threat group to compromise a Western government entity in Ukraine in January. Microsoft researchers said that they are sharing further details of these more recently uncovered campaigns given the heightened geopolitical situation, as well as the scale of the threat actor’s activity, in hopes of helping organizations investigate potential attacks and implement protections.
“MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage,” according to Microsoft researchers. “The Ukrainian government has publicly attributed this group to the Russian Federal Security Service (FSB).”