TA406, a DPRK state-sponsored threat actor, targeted Ukrainian government entities in February 2025 using phishing campaigns to harvest credentials and deliver malware for strategic intelligence gathering related to the Russian invasion. Their operations involved sophisticated phishing lures, malware embedded with PowerShell scripts, and multiple stages of reconnaissance and persistence mechanisms. #TA406 #UkraineGovernment
Keypoints
- TA406 targeted Ukrainian government entities with phishing emails impersonating think tank members, using event-driven lures based on Ukrainian political developments.
- The malware delivery involved password-protected RAR archives containing CHM and HTML files that executed embedded PowerShell for host reconnaissance and data exfiltration.
- PowerShell scripts collected system, network, and security tool information, encoded it in Base64, and sent it to TA406-controlled command and control (C2) servers.
- Phishing emails employed follow-up messages to encourage victims to open malicious links or attachments, increasing infection success rates.
- Credential harvesting efforts used fake Microsoft security alert emails from Proton Mail accounts, linking to compromised domains to steal login details.
- TA406’s operations are motivated by intelligence gathering to assess Ukrainian resistance to the Russian invasion and potential North Korean military risks.
- The actor deployed persistence via scheduled tasks and autorun batch files on infected hosts to maintain long-term access.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Link – TA406 sent phishing emails with links to password-protected RAR archives on MEGA (“…the email contains a link to a file hosting service called MEGA…”).
- [T1204.002] User Execution: Malicious File – Victims were tricked into opening CHM and HTML files containing embedded PowerShell scripts (“…if the file is decrypted and run, it initiates an infection chain using PowerShell…”).
- [T1059.001] Command and Scripting Interpreter: PowerShell – Embedded PowerShell executed within HTML files and LNK shortcuts to perform reconnaissance and payload downloads (“…PowerShell in the HTML executes if a user clicks within the page…”).
- [T1071.001] Application Layer Protocol: Web Protocols – Collected data was exfiltrated via HTTP POST requests to TA406-controlled domains (“…sent via POST request to hxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/receive.php…”).
- [T1543.003] Create or Modify System Process: Windows Service – Persistence was achieved by creating a scheduled task for the dropped JSE file (“…initiates a scheduled task named Windows Themes Update…”).
- [T1036.005] Masquerading: Match Legitimate Names or Locations – Phishing emails spoofed members of reputable think tanks and used legitimate-sounding sender addresses (“…freemail senders spoofing members of think tanks…”).
- [T1110] Brute Force: Credential Harvesting – Fake Microsoft security alert emails were used to lure targets to login pages on compromised domains (“…messages claim the target’s account had unusual sign-in activity…”).
Indicators of Compromise
- [Email] Credential harvest delivery – emln0reply@protonmail[.]com, eml-n0replypro@proton[.]me
- [Domain] Credential harvest delivery – jetmf[.]com
- [Email] Malware delivery – john.smith.19880@outlook[.]com, john.dargavel.smith46@gmail[.]com
- [URL] Malware delivery – hxxps://mega[.]nz/file/SmxUiA4K#QoS_PYQDnJN4VtsSg5HoCv5eOK0AI1bL6Cw5lxA0zfI, hxxps://lorica[.]com.ua/MFA/вкладення.zip
- [URL] Command and Control – hxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/test.txt, hxxp://pokijhgcfsdfghnj.mywebcommunity[.]org/main/receive.php
- [SHA256 Hashes] Malware delivery – 58adb6b87a3873f20d56a10ccde457469adb5203f3108786c3631e0da555b917, 28116e434e35f76400dc473ada97aeae9b93ca5bcc2a86bd1002f6824f3c9537, and 2 more hashes
Read more: https://www.proofpoint.com/us/blog/threat-insight/ta406-pivots-front
Views: 28