Three Cases of Cyber Attacks on the Security Service of Ukraine and NATO Allies, Likely by Russian State-Sponsored Gamaredon

MITRE Techniques

• [T1566.001] Initial Access – Spearphishing Attachment – Phishing email delivered with an attached TAR containing a malicious LNK that, when opened, triggers further payloads. Quote: “On January 23rd, 2023, EclecticIQ analysts identified a phishing email – addressed to the Security Service of Ukraine – with an attached archive file (TAR). The TAR folder contained a malicious shortcut (LNK) file.”
• [T1204] Execution: User Execution Malicious File – User interaction with the LNK leads to executing a second-stage HTML application. Quote: “The TAR folder contained a malicious shortcut (LNK) file. Upon user click, the LNK file downloads and executes a second-stage malicious HTML application (HTA) from a remote address using MSHTA.exe.”
• [T1203] Execution: Exploitation for Client Execution – Word documents leveraging CVE-2017-0199 to download and execute remote templates as a second stage. Quote: “The Malicious Word document leverages the exploit CVE-2017-0199 to download and execute remote templates as a second stage of the malware.”
• [T1140] Defense Evasion: Deobfuscate/Decode Files or Information – HTML smuggling obfuscation updates to evade scanners. Quote: “the threat actors improved the obfuscation routine in the HTML smuggling code (figure 11) to avoid anti-malware scanners.”
• [T1036.007] Defense Evasion: Masquerading Double File Extension – LNKs used to masquerade and deliver malicious payloads; LNK description in Figure 4 discusses their nature as Windows shortcuts. Quote: “LNKs are Windows shortcut files that can contain malicious code to abuse legitimate tools on the system, the so-called living-off-the-land binaries (LOLBAS or LOLBIN).”
• [T1218.005] Defense Evasion: System Binary Proxy Execution Mshta – MSHTA.exe used to download and execute HTA files. Quote: “MSHTA.exe were being actively abused by a Russian state-sponsored threat actor to download and execute the second stage of the malware.”
• [T1027.006] Defense Evasion: HTML Smuggling – HTML smuggling delivers the payload by encoding and delivering it within HTML. Quote: “HTML Smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page.”
• [T1071.001] Command and Control: Web Protocols – The campaign uses remote URLs to fetch second-stage payloads. Quote: “execute Microsoft HTML Application (HTA) files from a remote URL defined inside the Target section of the LNK file.”
• [T1566.001] Initial Access – Spearphishing Attachment – See above (reinforced by Word/HTML components in Case 2). Quote: “One of those Word documents can be seen in figure 5. This Ukrainian-language Word document contains the name of Culver Aviation’s CEO, corporate email address, and title of the company as a part of the lure.”
• [T1547.001] Persistence: Boot or Logon Autostart Execution – The malware can achieve persistence on the system after infection. Quote: “When the victim system is successfully infected by this malware, the threat actor can get persistence on the system…”
• [T1053.005] Persistence: Scheduled Task – The report includes scheduled task as a persistence technique in Gamaredon campaigns. Quote: “Persistence: Scheduled Task”