Threat Research

Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities

Securonix

The report details UNC1151’s spearphishing campaign targeting Ukrainian entities, delivering a multi-stage malware chain including GRIMPLANT, GRAPHSTEEL, BEACON, and MICROBACKDOOR via CHM and lure documents. It documents how Go-based droppers download modules, establish persistence, exfiltrate data, and communicate with C2 servers over TLS/HTTP/DNS, with overlapping activity seen in prior UNC1151 campaigns. Hashtags: #UNC1151 #GRIMPLANT #GRAPHSTEEL #BEACON #MICROBACKDOOR #Ukraine

Keypoints

  • UNC1151 is a Belarus-linked espionage cluster that targets government and media entities in Ukraine, Poland, and other countries, with potential ties to Ghostwriter operations.
  • Lure-based delivery uses documents such as Instruction on anti-virus protection.doc and User guide.doc, leading to a CHM containing obfuscated VBS for payload delivery.
  • The campaign uses multi-stage payloads, including GRIMPLANT (infostealer), GRAPHSTEEL (information stealer), and BEACON/MICROBACKDOOR backdoors, downloaded via a Go-based downloader.
  • Persistence is achieved by a Run key in the Windows registry (HKCUSoftwareMicrosoftWindowsCurrentVersionRunjava-sdk).
  • GRIMPLANT and GRAPHSTEEL perform extensive reconnaissance (system survey, browser credential theft, file and drive enumeration) and exfiltrate data to C2 servers, with GRAPHSTEEL using TLS/encrypted channels.
  • PowerShell commands are executed from C2 commands, and some components rely on Base64 encoding/obfuscation during delivery and operation.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Lure documents deliver a CHM with obfuscated VBS to drop payloads. “Lure document” and “Contains obfuscated VBS”
  • [T1105] Ingress Tool Transfer – Go downloader fetches payloads from a remote server. “C&C: 194.31.98.124:443”
  • [T1059.005] VBScript – CHM-hosted VBS code drops the next payload. “Contains obfuscated VBS”
  • [T1547.001] Registry Run Keys / Startup Folder – Java-sdk.exe persistence via Run registry key. “HKCUSoftwareMicrosoftWindowsCurrentVersionRunjava-sdk”
  • [T1059.001] PowerShell – C2 can issue and execute PowerShell commands on the host. “handles PowerShell commands it receives from the C&C”
  • [T1082] System Information Discovery – GRIMPLANT performs a basic system survey (name, user, IP, OS, CPUs). “system survey, querying the following”
  • [T1555.003] Credentials from Web Browsers – GRAPHSTEEL harvests Chrome/IE/Firefox/Thunderbird credentials. “Chrome … Internet Explorer … Firefox … Thunderbird”
  • [T1041] Exfiltration Over C2 Channel – Data uploads to C2, often encrypted. “uploads the information to the C&C” and “TLS”
  • [T1083] File and Directory Discovery – GRAPHSTEEL enumerates drives D-Z and reads files for exfiltration. “enumerates drives D-Z and the files within each drive”
  • [T1056.001] Keylogging – BEACON captures keystrokes. “BEACON backdoor … can also capture keystrokes”
  • [T1113] Screen Capture – BEACON captures screenshots. “capture keystrokes and screenshots”
  • [T1027] Obfuscated/Compressed Files and Information – Base64-encoded payloads/strings. “Base64-encoded” / “Base64-encoded text”
  • [T1041] Exfiltration Over C2 Channel – Data uploads to C2 via TLS, including system and browser data. “uploads to the C&C” / “TLS”
  • [T1083] File and Directory Discovery – GRAPHSTEEL reads content of files after enumerating drives. “reads the content of each unique file”
  • [T1059.003] Windows Command Shell – Use of shell-like commands via C2, and Go/Python-based tooling observed. “shell command execution”

Indicators of Compromise

  • [IP] 194.31.98.124 – C2/dropper host used for GO downloader and GRIMPLANT/GRAPHSTEEL callbacks
  • [IP] 45.84.0.116 – C2/downloader host used for multiple payloads
  • [Domain] forkscenter.fr – C2 hosting BitdefenderWindowsUpdatePackage.exe lure payload
  • [Domain] cdn.discordapp.com – C2/Dropper hosting in some components
  • [URL] https://forkscenter.fr/BitdefenderWindowsUpdatePackage.exe – Lure delivery URL
  • [URL] https://cdn.discordapp.com/attachments/947916997713358890/949948174636830761/one.exe – Alternative dropper URL
  • [MD5] 36ff9ec87c458d6d76b2afbd5120dfae – java-sdk.exe
  • [MD5] 4a5de4784a6005aa8a19fb0889f1947a – oracle-java.exe
  • [MD5] bd65d0d59f6127b28f0af8a7f2619588 – C:UsersPublicignit.vbs launcher

Read more: https://www.mandiant.com/resources/spear-phrian-ukrainian-entities