Opportunistic cybercriminals are advertising cyber tools to target Russian entities, but the downloaded tools are actually infostealers that steal credentials and cryptocurrency data. The campaign leverages Telegram and sympathetic online spaces tied to the Russia-Ukraine conflict, underscoring heightened threat activity as actors try to piggyback on current events. #Disbalancer #Liberator
Keypoints
- Threat actors are exploiting Ukrainian sympathizers by offering malware masquerading as offensive cyber tools aimed at Russian targets.
- A Telegram-based distribution scheme promotes a tool called Liberator by the group disBalancer, which is actually an information stealer.
- The delivered malware is a dropper that, after anti-debug checks and process actions, loads the Phoenix information stealer to exfiltrate data.
- The infostealer harvests browser data and cryptocurrency-related information (wallets, MetaMask) and sends it to a remote Russian IP on port 6666.
- Files are distributed with names like Disbalancer.exe and other variants; the campaign has continued since at least 2021, leveraging war-related themes.
- Users are reminded to scrutinize suspicious emails and verify software before downloading, as threat actors widen their repertoire during the conflict.
MITRE Techniques
- [T1218.011] Signed Binary Proxy Execution β Regsvcs β Brief description of how it was used. Quote relevant content using bracket (βThe regsvcs.exe is not used as a living off the land binary (LoLBin). It is injected with the malicious code, which consists of the Phoenix information stealer.β)
- [T1036] Masquerading β Brief description of how it was used. Quote relevant content using bracket (βThe campaign is based on a dropper disguised as the Disbalancer.exe tool.β)
- [T1041] Exfiltration Over C2 Channel β Brief description of how it was used. Quote relevant content using bracket (βThe information is then sent to a remote IP address, in this case, a Russian IP β 95[.]142.46.35 β on port 6666.β)
- [T1555.003] Credentials in Web Browsers β Brief description of how it was used. Quote relevant content using bracket (βa large amount of cryptocurrency-related information, including wallets and metamask informationβ)
- [T1560] Archive Collected Data β Brief description of how it was used. Quote relevant content using bracket (βa ZIP file of the stolen data is also uploaded to the serverβ)
- [T1027] Obfuscated/Compressed Files and Information β Brief description of how it was used. Quote relevant content using bracket (βThe dropper is protected with ASProtect, a known packer for Windows executables.β)
Indicators of Compromise
- [Hash] β context: example hashes β 33e5d605c1c13a995d4a2d7cb9dca9facda4c97c1c7b41dc349cc756bfc0bd67, f297c69795af08fd930a3d181ac78df14d79e30ba8b802666605dbc66dffd994 and 2 more hashes
- [IP] context: C2 communications β 95.142.46.35 β Port 6666
- [File name] context: dropper and related payloads β Disbalancer.exe, peview.exe
Read more: https://blog.talosintelligence.com/2022/03/threat-advisory-cybercriminals.html