Threat Research

Emulating the Destructive Sandworm Adversary

AttackIQ
Emulating the Destructive Sandworm Adversary

Sandworm (also tracked as APT44, Seashell Blizzard, and Voodoo Bear) conducted intrusions against Ukrainian organizations using exploited web services and a custom webshell called LocalOlive, then relied on living-off-the-land techniques to conduct reconnaissance, persistence, and credential theft. The campaign and associated emulation highlight specific TTPs—including LSASS dumping, scheduled task persistence, and PowerShell-based defense evasion—and include malware samples with SHA256 hashes for testing. #LocalOlive #Sandworm

Keypoints

  • Two Ukrainian entities—a large business services organization and a local government organization—were compromised to harvest sensitive information.
  • Initial access was likely obtained by exploiting externally exposed web services, followed by deployment of the LocalOlive webshell linked to past Sandworm intrusions.
  • Attackers used living-off-the-land techniques (built-in OS utilities) to conduct discovery, persistence, and credential access while minimizing detection.
  • Specific persistence methods included creating scheduled tasks and enabling remote access via registry changes and firewall rules.
  • Credential access techniques included dumping LSASS memory to a minidump and exporting the SYSTEM registry hive.
  • Discovery actions used standard Windows commands and PowerShell (whoami, tasklist, systeminfo, arp, tracert, Get-Process, Get-AdComputer, Get-WindowsCapability) to map the environment.
  • Three Sandworm malware samples are provided with SHA256 hashes for emulation and security control validation (system.exe, service.exe, nano.exe).

MITRE Techniques

  • [T1105 ] Ingress Tool Transfer – Used to download malware samples to memory and save to disk (“The Sandworm system.exe Sample… is downloaded to memory and saved to disk…”).
  • [T1053.005 ] Scheduled Task – Persistence via creating a scheduled task using the schtasks utility (“This scenario creates a new scheduled task for persistence using the schtasks utility.”).
  • [T1562.001 ] Deobfuscate/Defense Evasion (Add Process to Microsoft Defender Exclusion) – Adds a process to Defender exclusion list using Add-MpPreference PowerShell cmdlet (“This scenario adds a process to the Microsoft Defender exclusion list using the Add-MpPreference Powershell cmdlet.”).
  • [T1562.004 ] Deobfuscate/Defense Evasion (Firewall Rule) – Creates outbound firewall rule via New-NetFirewallRule to allow SSH communication (“This scenario executes the New-NetFirewallRule Powershell cmdlet to create a new outbound firewall rule.”).
  • [T1112 ] Modify Registry for Remote Desktop (Enable Legacy Security Layer) – Changes SecurityLayer registry key to enable legacy RDP security for remote access (“…sets the value of the SecurityLayer registry key… to 0 to force the server to use the legacy native RDP Security Layer”).
  • [T1003.001 ] LSASS Memory Dumping – Dumps LSASS process memory to a minidump using rundll32.exe with comsvcs.dll (“…dumps the Windows Local Security Authority Server Service (LSASS) process memory to a Minidump file using rundll32.exe in combination with comsvcs.dll…”).
  • [T1003.002 ] Registry Hive Dumping – Saves HKLMSYSTEM hive to a temp file via reg save (“…attempts to save a copy of the HKLMSYSTEM registry hive to a temporary file by executing the native Windows reg save command.”).
  • [T1033 ] Account Discovery (whoami) – Obtains username via whoami command (“This scenario executes the native whoami command to receive details of the running user account.”).
  • [T1057 ] Process Discovery (tasklist/Get-Process) – Enumerates running processes using tasklist and Get-Process (“This scenario enumerates processes… through the tasklist Windows utility.” / “This scenario leverages the Get-Process Powershell cmdlet to gather detailed information about running processes…”).
  • [T1082 ] System Information Discovery (systeminfo/Get-WindowsCapability/query session) – Gathers system info and capabilities using systeminfo, Get-WindowsCapability, and query session (“This scenario executes the systeminfo command…” / “This scenario executes the Get-WindowsCapability Powershell cmdlet…” / “This scenario executes the query session command…”).
  • [T1018 ] Remote System Discovery (net/Get-AdComputer) – Discovers domain hosts via net group “Domain Computers” and Get-AdComputer PowerShell (“This scenario executes the net group “Domain Computers” /domain command…” / “This scenario executes the Get-AdComputer Powershell cmdlet…”).
  • [T1016 ] Network Discovery (arp/tracert) – Retrieves ARP information and verifies internet connectivity/topology via arp -a and tracert (“This scenario executes the arp -a command…” / “This scenario executes the tracert command to gather information about the topology of the network.”).

Indicators of Compromise

  • [File Hash ] Malware samples used in emulation – 08ced2cca0b22dd7a211ebf318b8186fc1c2149943338c77ee2ac677b473727f, 2866763ebd3124bfe9cf3f65d6341dda6bbb98e2653c98dd2f001f152e082291, and 1 more hash (ba6301e35fc3feb41ece82e518f97a81263aa3bd750de7a84eef01dbf15f3507).
  • [File Name ] Dropped executable names used in campaign/emulation – system.exe, service.exe, nano.exe (used to test network and endpoint controls).
  • [Webshell ] Deployed webshell identifier – LocalOlive webshell observed after initial access (linked to past Sandworm intrusions).
  • [Registry Keys ] Persistence and remote access configuration – HKLMSYSTEMCurrentControlSetControlTerminal ServicesfDenyTSConnections set to 0; HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-TcpSecurityLayer set to 0 (used to enable/modify RDP settings).

Read more: https://www.attackiq.com/2025/11/14/sandworm/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint