Defense sectors in Ukraine and Eastern Europe are targeted with a new .NET-based backdoor. delivery confirmation (aka CAPIBAR or GAMEDAY) can deliver the next stage payload.
The Microsoft Threat Intelligence Team collaboration The Ukraine Computer Emergency Response Team (CERT-UA) has attributed the attack to a Russian nation-state actor known as Turla. This attack has also been tracked by the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. Associated with the Russian Federal Security Service (FSB).
“DeliverCheck is distributed via email as a document containing malicious macros,” the company said. Said in a series of tweets. “It persists via a scheduled task that downloads into memory and launches. It also connects to a C2 server to retrieve tasks. This may include launching arbitrary payloads embedded in XSLT stylesheets.”
Successful initial access sometimes also involves distribution of a known Turla implant called Kazuar, capable of stealing application configuration files, event logs, and a wide range of data from web browsers.
The ultimate goal of the attack is to steal messages from the Signal messaging app for Windows, giving the attacker access to sensitive conversations, documents, and images on the targeted system.
A notable feature of DeliveryCheck is that it infiltrates Microsoft Exchange servers and uses the PowerShell Desired State Configuration (DSC) is a PowerShell management platform that helps administrators automate the configuration of Windows systems.
“DSC generates managed object format (Ministry of Finance) file contains a PowerShell script that loads an embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center,” Microsoft explained.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
The disclosure was made by the Ukrainian cyber police. demolished A large bot farm with more than 100 individuals has been accused of spreading hostile propaganda justifying Russia’s aggression, leaking personal information of Ukrainian citizens, and engaging in various fraudulent schemes.
As part of the operation, 21 locations were raided and computer equipment, mobile phones, more than 250 GSM gateways and about 150,000 SIM cards from various mobile operators were seized.