Threat Research

GlowSand – InQuest

Securonix

GlowSand describes a Ukraine-focused, multi-stage malware campaign leveraging documents with malicious macros to download staged payloads. It uses geofenced infrastructure and persistence via a scheduled task to maintain access and conduct system discovery and exfiltration.

Read more:
Hashtags: #GlowSand #Salmon #HotStart #DeprivePDF #QuicklyXML #Vipertos #Zvonishu #Ukraine

Keypoints

  • Attacks rely on documents in email attachments to deliver the initial payload targeting Ukrainian government entities.
  • The download server is configured to serve payloads only to Ukrainian IP addresses, indicating geo-targeted infrastructure.
  • The malware campaign employs a multi-stage approach with at least three document files and evolving payloads.
  • Persistence is achieved by creating a Task Scheduler entry named “HotStart” that periodically executes a script.
  • Additional stages are delivered via LNK files and XML/XML-like resources (e.g., quickly.xml) with Ukrainian IP-restricted domains.
  • The operators perform lightweight reconnaissance and system information gathering, including a screenshot, before deploying the main payload.
  • IoCs include multiple hashes, Vipertos-related domains, and several IP addresses linked to the infrastructure.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The initial document is described as being opened via email attachments to deliver the next stages. Bracket quote: ‘the context of successful attacks is the use of documents in email attachments.’
  • [T1059.005] Command and Scripting Interpreter – The obfuscated macro is decoded at runtime and is divided into two parts, indicating macro-based execution within the document. Bracket quote: ‘The obfuscated macro is decoded at runtime and is divided into two parts.’
  • [T1027] Obfuscated/Compressed Files and Information – The macro/code is obfuscated and split, requiring decoding to reveal actions. Bracket quote: ‘The obfuscated macro is decoded at runtime and is divided into two parts.’
  • [T1053.005] Scheduled Task – Persistence via Task Scheduler, creating a task named “HotStart” to run a script every 5 minutes. Bracket quote: ‘creates a new task in Task Scheduler called “HotStart”; and every 5 minutes will run the script “C:UsersAdmindeprive.pdf”.’
  • [T1105] Ingress Tool Transfer – The first stage drops a payload from a download address; the server is configured to deliver to Ukrainian IPs. Bracket quote: ‘The malware download server is configured in such a way that it only allows downloading files for Ukrainian IP addresses.’
  • [T1082] System Information Discovery – The next-stage payload collects machine information and posts back to the server. Bracket quote: ‘gathers identifying machine information to post back to the same server’
  • [T1113] Screen Capture – The campaign includes taking a screenshot as part of system enumeration. Bracket quote: ‘takes a screenshot and gathers identifying machine information’
  • [T1041] Exfiltration Over C2 Channel – Data (system info) is posted back to the remote server. Bracket quote: ‘post back to the same server’

Indicators of Compromise

  • [Hash] a93ff0e6c42aa3f011a53108dc9b224dc85d9e0930f81e3b3010801089126e4e, 1a1ac565ba08ac51eb6ef27d0fe47a03372112f476ad3008f6ead30dbdcee565, and 5 more hashes
  • [Domain] alphabet.fake39.vipertos[.]ru, vipertos[.]ru, and other Vipertos domains
  • [IP] 143.244.131[.]123, 141.164.45[.]200
  • [File] salmon.udb, deprive.pdf
  • [URL] hxxp://a0681546.xsph[.]ru/death/quickly.xml, txxp://ip-api.com/csv/delicious71.kolopartor[.]ru?fields=query

Read more: https://inquest.net/blog/2022/06/27/glowsand