Unknown APT group has targeted Russia repeatedly since Ukraine invasion

MITRE Techniques

• [T1566.001] Spearphishing Attachment – Campaign used spear-phishing emails with attachments and a subject in content related to vulnerabilities. ‘Rostec. FSB RF. Roskomnadzor. Urgent Vulnerability Fixes’
• [T1059.005] Visual Basic – VBScript-based dropper chain (UpdateRunner.vbs/HelpCenterUpdater.vbs) used to drop and execute payloads. ‘The job of the UpdateRunner.vbs script is to execute the DLL through rundll32.exe.’
• [T1083] File and Directory Discovery – The malware enumerates files with FindFirstFile/FindNextFile to list directory contents. ‘FindFirstFile and FindNextFile function to retrieve a list of all the files under the directory.’
• [T1105] Ingress Tool Transfer – Main payload downloaded from the C2 server (GE40BRmRLP.dll). ‘downloads the main payload—a DLL named GE40BRmRLP.dll—from its command and control (C2) server.’
• [T1027] Obfuscated/Compressed Files and Information – The DLL is heavily obfuscated with XOR-encoded strings and control-flow flattening. ‘The payload’s strings are obfuscated with simple XOR encoding.’
• [T1071.001] Web Protocols – C2 communication uses HTTP(S) GET requests and TLS via WolfSSL; talks to the C2 with encoded data. ‘GET requests in the form url/?wSR=’
• [T1059.003] Windows Command Shell – The loader uses CreateProcessA for command execution and rundll32 to run payloads, indicating command execution workflows. ‘CreateProcessA’ and ‘rundll32.exe’
• [T1566.002] Masquerading – Files are named to resemble legitimate software (e.g., build_rosteh4.exe) to look like Rostec software. ‘an apparent attempt to make it look like software from Rostec’
• [T1204.002] User Execution – The Saudi Aramco campaign relied on a macro-enabled document and a prompt to enable macros. ‘a message in Russian, asking users to enable macros.’