Threat Research

Threat Advisory: Opportunistic cyber criminals take advantage of Ukraine invasion

Securonix

Threat actors have exploited the Ukraine invasion with scam emails that solicit humanitarian aid and donations, often delivering malware or links to malicious pages. The activity mirrors opportunistic crime seen after other crises, combining social engineering with malware delivery and scam campaigns to exploit public concern. #UkraineInvasion #Remcos #CVE2017-11882

Keypoints

  • Threat actors push email lures tied to the Ukraine conflict, including humanitarian aid and fundraising themes, increasing since late February.
  • Most activity is scam-focused, but some emails deliver threats such as remote access trojans (RATs).
  • Campaigns illustrate social engineering that moves victims from email to other channels (e.g., WhatsApp) and uses fake charity or assistance requests.
  • Malware distribution campaigns exploit public interest by delivering malicious Office documents designed to retrieve payloads from attacker-controlled servers.
  • One payload is Remcos, with persistence via a registry Run key and C2 communications over a DDNS domain.
  • IOCs include specific SHA256 hashes, domains, IPs, and URLs linked to the campaigns and payload delivery.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Email lures with seemingly legitimate requests and malicious attachments to trigger execution. “In the following example, the sender claims to need assistance donating to charity organizations and requests that the recipient contact them via the supplied WhatsApp contact information.”
  • [T1566.002] Spearphishing Link – Messages include links that lead to attacker-controlled pages or phishing sites. “The email contains a hyperlink made to appear as if it points to the Bitcoin marketplace, while it actually points to an attacker-controlled webpage.”
  • [T1566.003] Spearphishing via Service – Social engineering that moves recipients to external channels (e.g., WhatsApp) for action. “the recipient contact them via the supplied WhatsApp contact information.”
  • [T1105] Ingress Tool Transfer – Malware payloads are retrieved from attacker-controlled servers. “The document purports to retrieve a binary payload from an attacker-controlled web server as shown below.”
  • [T1203] Exploitation for Client Execution – Office documents leverage a vulnerability to run malware. “When opened, the document leverages CVE-2017-11882, an old Microsoft Office vulnerability, and attempts to retrieve a malware payload from an attacker-controlled server to infect the victim.”
  • [T1547.001] Registry Run Keys/Startup Folder – Persistence mechanism used by Remcos. “As is common with Remcos, the sample achieves persistence via setting a registry run key…”
  • [T1071.004] DNS C2 – C2 communications using attacker-controlled infrastructure (DDNS). “attempts to establish C2 communications with an attacker-controlled DDNS server.”

Indicators of Compromise

  • [Hash] SHA256 – 0a9babd846b1edf99e75f3c9de492c6341f9ca9a8e91851ad323bf8f325f9799, 19b3fb26c3ede42cf8f5922fa4e10da1004a820e3f94dd25615d387092b996ed
  • [Hash] SHA256 – 1d7b8253666eb3d60b84a82999d6a9f393fee01876ff6f39dee4bdf304a11bfd
  • [Hash] SHA256 – 4907309437e12932d437f8c3ae03fbfde7d4e196b6f1dc7f2d98e3a388ce585c
  • [Domains] genautilus[.]com, newremc22[.]ddns[.]net
  • [IP Addresses] 136[.]144[.]41[.]109, 142[.]93[.]227[.]231
  • [URLs] hXXp[:]//136[.]144[.]41[.]109[:]80/HRE.exe, hXXp[:]//genautilus[.]com/?2dv6a8N1yT

Read more: https://blog.talosintelligence.com/2022/03/ukraine-invasion-scams-malware.html