Threat Research

State-sponsored Attack Groups Capitalise on Russia-Ukraine War for Cyber Espionage – Check Point Research

Securonix

Check Point Research shows how state-sponsored APT groups are exploiting the Russia-Ukraine war to run cyber-espionage campaigns worldwide, using war-themed spear-phishing, decoy documents, and multi-stage payloads against financial, governmental, and energy sectors. The CPR report profiles El Machete, Lyceum, and SideWinder campaigns, detailing infection chains, payloads, and C2 techniques.
Hashtags: #El_Machete #Lyceum_APT #SideWinder_APT #BlogSpot #DNS_tunneling

Keypoints

  • The Russia-Ukraine conflict is being leveraged by multiple APT actors to target financial, governmental, and energy sectors across regions. 
  • El Machete uses war-themed decoys and malicious macros in spear-phishing emails, leading to a Python-based backdoor with a Loki.Rat variant and a C2 URL hidden inside a license.dll loaded from BlogSpot.
  • Lyceum deploys multiple droppers (including .NET DNS, .NET TCP, and Golang) and backdoors (DNS and HTTP), employing DNS tunneling and C2 over custom protocols; lures include RU-UA and Iran contexts and target Israel and Pakistan among others.
  • SideWinder relies on remote template injection (including CVE-2017-11882) to drop a .NET-based infostealer, targeting entities in Pakistan and other regions.
  • The campaigns share tactics such as persistence via scheduled tasks, modular Python components, and C2 communications often hidden behind legitimate domains or social engineering elements.
  • CPR provides threat-hunting guidance and Yara rules to help detect these campaigns and their tools.

MITRE Techniques

  • [T1566.001] Phishing – Spear-phishing emails using the Russia-Ukraine war as lure. “The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on targets and region.”
  • [T1204.002] User Execution – Malicious macros in lure documents to gain initial foothold. “The lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.”
  • [T1059.005] VBScript – The malware executes encoded VBScript via wscript.exe after the macro drops a .vbe file. “The macro then launches the wscript.exe to execute the .vbe file.”
  • [T1059.006] Python – The payloads are primarily written in Python with multiple interpreters masquerading as Adobe-related executables. “The malware is primarily written in Python, and comes with two different Python interpreters…”
  • [T1053.005] Scheduled Task – Persistence via a scheduled task that runs every 5 minutes, masquerading as an Adobe Update. “The task executes the AdobeReaderUpdate script, a customized version of Loki.Rat…”
  • [T1221] Template Injection – Remote template injection used in lure documents (SideWinder). “remote template injection” and exploitation of CVE-2017-11882 are described as part of the infection chain.
  • [T1071.001] Web Protocols – C2 communication over web channels, including BlogSpot hosting and obfuscated JSON payloads. “The data is submitted to the C&C server in a somewhat obfuscated but consistent JSON format” and use of BlogSpot-based URLs.
  • [T1071.004] DNS – DNS tunneling for C2 communication observed in Lyceum campaigns. “The DNS tunneling technique in the C&C communication widely used in previous Lyceum campaigns.”
  • [T1113] Screen Capture – The backdoors perform screenshots as part of reconnaissance. “Take screenshots.”
  • [T1083] File and Directory Discovery – Drops and collects file lists/sizes on drives to identify targets. “collect information about the files on each drive – collect file names and file sizes…”
  • [T1027.002] Obfuscated/Compressed Files and Information – Base64 encoding used to obfuscate payloads. “Each of the Python script files is obfuscated using base64 encoding.”

Indicators of Compromise

  • [Domain] Lyceum-related lure domains – news-spot.live, news-spot.xyz, cyberclub.one, science-news.live, news-reporter.xyz
  • [IP] Known Lyceum/C2 infrastructure – 104.249.26.60, 85.206.175.201, 185.243.112.136
  • [URL] Adobe.msi download variants – hxxps://correomindefensagobvemyspace[.]com/kolomenskoye/Adobe.msi, hxxps://solutionconect[.]online/uu2/x3/JavaOracle.msi, hxxps://great-jepsen.51-79-62-98[.]plesk[.]page/MKS/w3/Adobe.msi, hxxps://Intelligent-archimedes.51-79-62-98[.]plesk[.]page/x3/Uu-3.php
  • [Email] Phishing contact observed – inews-reporter@protonmail[.]com
  • [Domain] BlogSpot hosting used for C2 and decoys – blogspot.com
  • [IP] Additional host indicated in Arc/Appendix – 31.207.44.72:8080

Read more: https://research.checkpoint.com/2022/state-sponsored-attack-groups-capitalise-on-russia-ukraine-war-for-cyber-espionage/