Threat Research

Securonix Threat Research Security Advisory: Analysis and Detection of STEADY#URSA Attack Campaign Targeting Ukraine Military Dropping New Covert SUBTLE-PAWS PowerShell Backdoor

Securonix

An active campaign delivering a new PowerShell backdoor tracked as SUBTLE-PAWS targets Ukrainian military personnel via compressed archives containing malicious .lnk shortcuts that load encoded PowerShell payloads and spread through USB drives. The backdoor stores executable PowerShell code in HKCU registry keys for persistence, retrieves C2 IPs from telegra.ph pages and guvalas[.]ru DNS queries, and uses encoding/obfuscation and timing delays to evade detection. #SUBTLEPAWS #Shuckworm

Keypoints

  • Initial execution uses archived lure files with .lnk shortcuts (named after Ukrainian cities or military terms) that invoke powershell.exe with hidden window arguments to run code from an adjacent file.
  • Secondary files (e.g., finance.bin, britex.was) contain a single PowerShell one-liner with a large Base64 string; the string is decoded and executed, with the script split into comment-separated chunks executed in separate PowerShell processes.
  • SUBTLE-PAWS stores multiple PowerShell functions as values under HKCU (e.g., HKCU:System) and establishes persistence by writing an Invoke-Expression entry into HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun that loads registry-stored code.
  • C2 resolution is dynamic: the backdoor parses telegra.ph pages to extract IPs (e.g., 185.245.184[.]146) and uses guvalas[.]ru for randomized DNS queries to determine working C2 addresses, with OS-sensitive methods (curl vs MSXML vs nslookup).
  • Lateral propagation relies on creating malicious .lnk files on all mounted removable drives (replication through removable media) rather than network-based movement, targeting air-gapped environments.
  • Evasion techniques include Base64 and XOR encoding, string-splitting to bypass AMSI, long/random sleeps, redundant loops (e.g., repeated MachineGUID reads), COM objects and VBScript execution to obscure behavior.
  • Securonix provides detection/hunting queries and a list of analyzed filenames and file hashes to aid defenders in identifying the activity.

MITRE Techniques

  • [T1027] Obfuscated Files or Information – Used to hide payloads and evade detection by splitting strings and encoding payloads. [‘Most of the individual PowerShell functions…certain strings were broken apart and split into smaller strings that might typically be flagged by AMSI or other AV detections.’]
  • [T1027.010] Command Obfuscation – PowerShell strings and commands are fragmented and reconstructed to avoid heuristic detection. [‘Most of these were contained within the initial first few lines.’]
  • [T1070.004] Indicator Removal: File Deletion – Script deletes temporary files (e.g., ps3.bin) upon certain HTTP responses to remove staging artifacts. [‘If it gets a 404 status…it deletes the ps3.bin file.’]
  • [T1140] Deobfuscate/Decode Files or Information – Base64 and XOR decoding is performed to obtain executable PowerShell. [‘These files contain a single PowerShell one liner containing a single variable consisting of a large Base64 string of the SUBTLE-PAWS backdoor.’]
  • [T1059] Command and Scripting Interpreter – PowerShell is the primary execution mechanism across the chain. [‘Throughout the entire attack campaign, most of the code executed by the malware was PowerShell.’]
  • [T1059.001] PowerShell – Invoked directly from .lnk shortcuts and used to run decoded registry-stored functions. [‘The shortcut file links directly to the powershell.exe process with a single, short argument…’]
  • [T1204.001] User Execution: Malicious Link – Victims trigger execution by double-clicking malicious .lnk files extracted from archives. [‘Execution begins when the victim user unzips the archive and double clicks on the included shortcut file.’]
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Persistence achieved by writing an invoke-expression entry into the Run key that loads registry-stored code. [‘Persistence is established by creating a new registry key at “HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun” which uses an invoke expression to load and execute the “run” registry key saved into “HKCU:System”.’]
  • [T1132.001] Data Encoding: Standard Encoding – Uses Base64 (and XOR) to encode payloads and exfiltration content. [‘The file contains a large Base64 encoded string which when decoded, executes additional PowerShell.’]
  • [T1573] Encrypted Channel – Script builds HTTPS/HTTP C2 URLs and attempts HTTPS first depending on OS, supporting encrypted communications where available. [‘The function constructs a URL to communicate with. It uses HTTPS for systems with an OS version greater than 7, otherwise, it defaults to HTTP.’]
  • [T1091] Replication Through Removable Media – Propagation is achieved by creating shortcuts on all mounted removable drives to execute registry-stored payloads. [‘This function uses an interesting approach for determining… lateral movement for the STEADY#URSA campaign relies solely on the use of USB drives…’]

Indicators of Compromise

  • [IP addresses] backdoor C2 – 185.245.184[.]146, 195.133.88[.]136, and 4 more IPs listed for C2 communication
  • [Domains/URLs] C2 resolution infrastructure – hxxps://telegra[.]ph/home-11-29-16 (used to store C2 IP), guvalas[.]ru (used for randomized DNS queries)
  • [File names] staging and lure files – finance.bin, britex.was, and many .lnk lures such as ODESSA.lnk and KROPIVA.lnk
  • [File hashes] analyzed artifacts – finance.bin: 2F0375BB6A732010D0082F0F44F74D6A641E0A61C9F77D7922A15597CDA6A1CD, KROPIVA.lnk: D7E22847… (and 30+ more hashes provided)

SUBTLE-PAWS technical procedure (condensed)

The infection begins when a user extracts an archive and double-clicks a crafted .lnk shortcut (named with enticing labels like ODESSA.lnk or KROPIVA.lnk). The .lnk calls powershell.exe with a hidden window and a short command that uses Get-Content (gc) to read an adjacent file (e.g., finance.bin or britex.was). Those secondary files are not binaries but one-line PowerShell scripts containing a large Base64 string; the string is decoded and executed, with the attackers splitting the script into comment-separated chunks executed via ForEach-Object in separate PowerShell processes.

Once decoded, the SUBTLE-PAWS payload stores many of its functions as registry values under HKCU (e.g., HKCU:System and keys like pyrolyzing505, softwareenvironment816). Persistence is achieved by writing an Invoke-Expression caller into HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun that loads registry-stored code. Individual functions implement: decoding/XOR routines, execution via MSScriptControl (VBScript), a persistent run loop that reads and executes registry-held code, shortcut creation routines (SetLink/prepare-lnk) to place .lnk files on mounted removable drives, and segmenttable453/softwareenvironment816 logic that determines a working C2 address.

C2 resolution is dynamic and OS-aware: the backdoor parses telegra.ph pages to extract an IP wrapped in * characters and may use curl, MSXML2.XMLHTTP, or nslookup with randomized domains under guvalas[.]ru to find an address; results are cached to ps3.bin. Evasion includes Base64/XOR encoding, string splitting, long/random sleeps, redundant loops (e.g., repeated MachineGUID reads) and COM-based execution to complicate analysis. A failsafe removes the script if HTTPS communication fails, while registry objects may remain, and lateral spread is performed exclusively via malicious shortcuts on removable media rather than network propagation.

Read more: https://www.securonix.com/blog/security-advisory-steadyursa-attack-campaign-targets-ukraine-military/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint