July 20, 2023THNMoreCyber ​​Attack/Malware

Defense sectors in Ukraine and Eastern Europe are targeted with a new .NET-based backdoor. delivery confirmation (aka CAPIBAR or GAMEDAY) can deliver the next stage payload.

The Microsoft Threat Intelligence Team collaboration The Ukraine Computer Emergency Response Team (CERT-UA) has attributed the attack to a Russian nation-state actor known as Turla. This attack has also been tracked by the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. Associated with the Russian Federal Security Service (FSB).

“DeliverCheck is distributed via email as a document containing malicious macros,” the company said. Said in a series of tweets. “It persists via a scheduled task that downloads into memory and launches. It also connects to a C2 server to retrieve tasks. This may include launching arbitrary payloads embedded in XSLT stylesheets.”

Successful initial access sometimes also involves distribution of a known Turla implant called Kazuar, capable of stealing application configuration files, event logs, and a wide range of data from web browsers.

The ultimate goal of the attack is to steal messages from the Signal messaging app for Windows, giving the attacker access to sensitive conversations, documents, and images on the targeted system.

A notable feature of DeliveryCheck is that it infiltrates Microsoft Exchange servers and uses the PowerShell Desired State Configuration (DSC) is a PowerShell management platform that helps administrators automate the configuration of Windows systems.

“DSC generates managed object format (Ministry of Finance) file contains a PowerShell script that loads an embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center,” Microsoft explained.

upcoming webinars

Shielding Against Insider Threats: Mastering SaaS Security Posture Management

Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.

join today

The disclosure was made by the Ukrainian cyber police. demolished A large bot farm with more than 100 individuals has been accused of spreading hostile propaganda justifying Russia’s aggression, leaking personal information of Ukrainian citizens, and engaging in various fraudulent schemes.

As part of the operation, 21 locations were raided and computer equipment, mobile phones, more than 250 GSM gateways and about 150,000 SIM cards from various mobile operators were seized.

Did you enjoy this article? Follow us twitter and LinkedIn To read more of the exclusive content we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog