Cyble researchers document UNC1151’s renewed malware campaign against Ukraine’s Ministry of Defence, detailing lure documents, multi-stage DLL load chains, and evolving encryption/obfuscation tactics. The findings also flag potential final payloads (AgentTesla, Cobalt Strike, njRAT) and provide IOCs and MITRE-aligned techniques. #UNC1151 #GhostWriter
Keypoints
- CRIL identified a campaign using a malicious Excel document linked to the UNC1151 APT group, with targets including Ukraine’s Ministry of Defence.
- UNC1151 is described as Belarus-originating and active against Eastern European countries (Ukraine, Lithuania, Latvia, Poland, etc.), with ties to GhostWriter operations.
- The lure leverages embedded VBA macros in Excel to drop a LNK file and a DLL loader, initiating a multi-stage infection chain.
- Campaign 2 (2024) introduces two DLL execution stages and encrypted payloads (SVG-based) vs. a prior JPG-based approach, expanding the infection chain.
- Infections likely aim for information theft and remote access, with suspected final payloads including AgentTesla, Cobalt Strike beacons, and njRAT.
- IOCs include several hashes and URLs/Domains (e.g., SVG payload downloads and associated domains) and MITRE-style technique mappings demonstrate tactic shifts.
MITRE Techniques
- [T1059] Command and Scripting – Brief description: Document contains embedded VBA macros. – “Document contains embedded VBA macros.”
- [T1203] Exploitation for Client Execution – Brief description: Potential document exploit detected. – “Potential document exploit detected.”
- [T1547.001] Registry Run Keys / Startup Folder – Brief description: Adversaries persist by startup/registry entries via a shortcut drop. – “drops a shortcut file named ‘CybereasonActiveProbe.lnk’ in the ‘AppDataRoamingMicrosoftWindowsStart Menu’ folder.”
- [T1574.002] DLL Side-Loading – Brief description: Infection chain includes multiple DLL execution stages. – “In the latest campaign, the TA employs two DLL execution stages in the infection chain.”
- [T1218.010] Regsvr32 – Brief description: Malware abuses Regsvr32.exe to proxy execution. – “Regsvr32.exe” described in campaign flows.
- [T1208.011] Rundll32 – Brief description: Malware uses Rundll32.exe to execute DLL payloads. – “Rundll32.exe” described in multiple steps.
- [T1057] Process Discovery – Brief description: Checks for running processes to evade detection. – “Queries a list of all running processes.”
- [T1518.001] Security Software Discovery – Brief description: Detects AV strings to evade termination. – “AV process strings found (often used to terminate AV products).”
- [T1071] Application Layer Protocol – Brief description: Malware communicates with C2 over HTTP/other protocols. – “Malware exe communicate to C&C server.”
- [T1105] Ingress Tool Transfer – Brief description: Downloads components from web servers. – “Downloads files from webservers via HTTP.”
Indicators of Compromise
- [SHA256] 815c1571356cf328a18e0b1f3779d52e5ba11e5e4aac2d216b79bb387963c2be – Malware Excel files (May 2024)
- [SHA256] d90f6e12a917ba42f7604362fafc4e74ed3ce3ffca41ed5d3456de28b2d144bf – DLL loader
- [URL] hxxps://goudielectric[.]shop/cms/svg/6364.2809640e.chunk.svg – Download encrypted payload
- [URL] hxxps://thevegan8[.]shop/first-gen-network/micro-grants.svg – Download encrypted payload
- [Domain] goudielectric[.]shop – Malware domain
- [Domain] thevegan8[.]shop – Malware domain