Threat Research

奇安信威胁情报中心

Securonix

A Ukrainian-focused campaign linked to UNC1151 is analyzed, describing CHM-based loaders, obfuscated VBScript, and memory-resident backdoors that connect to C2 servers, echoing Ghostwriter/UNC1151 activity. The finding includes multiple samples, links to prior UNC1151 operations, and the use of a mature toolset (including MicroBackdoor and Cobalt Strike) to persist and control compromised hosts. #UNC1151 #Ghostwriter #Ukraine #MicroBackdoor #CobaltStrike #Isakymas_V-2701 #Operativna_informacia

Keypoints

  • UNC1151 is an APT group with links to Ghostwriter activity, previously observed targeting EU and NATO-aligned states with propaganda and credential phishing.
  • A new Ukraine-focused attack sample emerged, with ties to earlier UNC1151 activity and CHM/VBS-based delivery chains.
  • Attackers use a CHM container (довідка.zip) hosting dovidka.chm, which executes HTML/JS to display lure content and triggers VBS code.
  • VBS code is obfuscated and releases ignit.vbs, which ultimately loads a memory-resident DLL (core.dll) and a backdoor (MicroBackdoor).
  • core.dll is packed with ConfuserEx and decodes/loads in memory, creating threads to execute the backdoor and establish C2 via a remote server.
  • Persistence is achieved via startup mechanisms (eg, creating a shortcut in the Startup folder and using desktop.ini/vbs for loading).
  • Associated samples show a mature framework that can swap backdoors (including a Cobalt Strike Beacon in one CHM), and C2 uses domains such as xbBeta.online, port 8443.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing via Email – Attacks used phishing emails targeting private Ukrainian armed forces emails. ‘phishing emails targeting private email accounts of Ukrainian armed forces personnel’
  • [T1059.007] JavaScript – JavaScript used in HTML to display lure content. ‘HTML contains two segments of JS code to display bait content’
  • [T1059.005] Visual Basic – VBScript released and executed via WScript.exe. ‘VBS code released ignit.vbs and called WScript.exe to execute’
  • [T1027] Obfuscated/Compressed Files and Information – Core DLL packed by ConfuserEx and VBS code obfuscated. ‘core.dll is ConfuserEx packed and the VBS code is obfuscated’
  • [T1055] Process Injection – In-memory loading of payload with thread creation. ‘memory-loaded code and the creation of threads to execute’
  • [T1547.001] Run Keys / Startup Folder – Persistence by placing a shortcut in the startup folder. ‘startup directory creates a link file Network access center.lnk’
  • [T1071.001] Web Protocols – C2 communication over HTTP/HTTPS to xbBeta.online and port 8443. ‘C2 server xbeta.online:8443’

Indicators of Compromise

  • [Domain] C2 domains – xbeta.online, tvasahi.online, multilogin.online
  • [MD5] sample hashes – e34d6387d3ab063b0d926ac1fca8c4c4, 62b8db1d541775fba717fc76b2e89353, and 13 more hashes
  • [File Name] CHM/ZIP payloads – dovidka.chm, довідка.zip, cert.chm, Operativna_informacia.chm

Read more: https://ti.qianxin.com/blog/articles/Analysis-of-attack-activities-of-suspected-aptorganization-unc1151-against-ukraine-and-other-countries/