{"id":106281,"date":"2022-02-04T10:00:00","date_gmt":"2022-02-04T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=106281"},"modified":"2023-10-12T08:11:10","modified_gmt":"2023-10-12T15:11:10","slug":"actinium-targets-ukrainian-organizations","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/02\/04\/actinium-targets-ukrainian-organizations\/","title":{"rendered":"ACTINIUM targets Ukrainian organizations"},"content":{"rendered":"\n
\nApril 2023 update<\/strong> \u2013 Microsoft Threat Intelligence has shifted to a new threat actor naming taxonomy aligned around the theme of weather. ACTINIUM <\/strong>is now tracked as Aqua Blizzard <\/strong>and DEV-0586 <\/strong>is now tracked as Cadet Blizzard<\/strong>.<\/p>\n\n\n\n
To learn about how the new taxonomy represents the origin, unique traits, and impact of threat actors, and to get a complete mapping of threat actor names, read this blog: Microsoft shifts to a new threat actor naming taxonomy<\/strong><\/a>.<\/p>\n<\/blockquote>\n\n\n\n
The Microsoft Threat Intelligence Center (MSTIC) is sharing information on a threat group named ACTINIUM, which has been operational for almost a decade and has consistently pursued access to organizations in Ukraine or entities related to Ukrainian affairs. MSTIC previously tracked ACTINIUM activity as DEV-0157, and this group is also referred to publicly as Gamaredon. <\/p>\n\n\n\n
NOTE: <\/strong>This blog is available in Ukrainian on the Microsoft CEE Multi-Country News Center to help organizations in Ukraine implement protections against this activity: \u0410\u041a\u0422\u0418\u041d\u0406\u0419(ACTINIUM) \u0430\u0442\u0430\u043a\u0443\u0454 \u0443\u043a\u0440\u0430\u0457\u043d\u0441\u044c\u043a\u0456 \u043e\u0440\u0433\u0430\u043d\u0456\u0437\u0430\u0446\u0456\u0457<\/a>.<\/em><\/p>\n\n\n\n
In the last six months, MSTIC has observed ACTINIUM targeting organizations in Ukraine spanning government, military, non-government organizations (NGO), judiciary, law enforcement, and non-profit, with the primary intent of exfiltrating sensitive information, maintaining access, and using acquired access to move laterally into related organizations. MSTIC has observed ACTINIUM operating out of Crimea with objectives consistent with cyber espionage. The Ukrainian government has publicly attributed this group<\/a> to the Russian Federal Security Service (FSB).<\/p>\n\n\n\n
Since October 2021, ACTINIUM has targeted or compromised accounts at organizations critical to emergency response and ensuring the security of Ukrainian territory, as well as organizations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis. As with any observed nation-state actor activity, Microsoft directly notifies customers of online services that have been targeted or compromised, providing them with the information they need to secure their accounts. Microsoft has shared this information with Ukrainian authorities.<\/p>\n\n\n\n
ACTINIUM represents a unique set of activities separate from the destructive malware attacks by DEV-0586 described in an earlier blog post<\/a>. As of this writing, MSTIC has not found any indicators correlating these two actors or their operations. The observed ACTINIUM activities detailed in this blog have been limited only to organizations within Ukraine. We have not seen this actor using any unpatched vulnerabilities in Microsoft products or services.<\/p>\n\n\n\n
Given the geopolitical situation and the scale of observed activity, MSTIC is prioritizing sharing our knowledge of ACTINIUM tactics, techniques, and procedures (TTPs), along with a significant number of indicators of compromise (IOCs) from our extensive analysis. Our goal is to give organizations the latest intelligence to guide investigations into potential attacks and information to implement proactive protections against future attempts.<\/p>\n\n\n\n
Activity description<\/h2>\n\n\n\n
Microsoft has observed a repeated set of techniques and procedures throughout operations by ACTINIUM, with several significant elements that we believe are important to understanding these activities. It\u2019s important to note that ACTINIUM\u2019s tactics are constantly evolving; the activities described in this blog are some of the most consistent and notable observations by Microsoft, but these are not all-encompassing of actor TTPs.<\/p>\n\n\n\n
Phishing using remote templates<\/h3>\n\n\n\n
One of the access vectors most used by ACTINIUM is spear-phishing emails with malicious macro attachments that employ remote templates. Remote template injection refers to the method of causing a document to load a remote document template that contains the malicious code, in this case, macros. Delivery using remote template injection ensures that malicious content is only loaded when required (for example, when the user opens the document). This helps attackers to evade static detections, for example, by systems that scan attachments for malicious content. Having the malicious macro hosted remotely also allows an attacker to control when and how the malicious component is delivered, further evading detection by preventing automated systems from obtaining and analyzing the malicious component.<\/p>\n\n\n\n
MSTIC has observed a range of email phishing lures used by ACTINIUM, including those that impersonate and masquerade as legitimate organizations, using benign attachments to establish trust and familiarity with the target.<\/p>\n\n\n\n
<\/p>\n\n\n\n
This phishing email from ACTINIUM uses the sender domain who-int[.]info to masquerade as the legitimate who.int domain, assessed to be impersonating the World Health Organization <\/em><\/figcaption><\/figure>\n\n\n\n Within the body of phishing messages, ACTINIUM has been observed to insert web bugs, which are small external image references that enable the actor to track when a message has been opened and rendered. These web bugs are not malicious by themselves but may indicate that the email is intended for malicious use. Here\u2019s an example of a web bug used by ACTINIUM:<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nACTINIUM\u2019s lure documents appear to be legitimate and vary in style and content. For example, the lure document below included a remote template at the following URL: hxxp:\/\/usa-national[.]info\/USA\/sensible[.]dot. While a domain was used in this instance, links with static IP addresses have also been used.<\/p>\n\n\n\n
<\/p>\n\n\n\n
This URL and the related lure .dot document from ACTINIUM is responsible for loading the malicious remote template. This document uses text from a legitimate who.int situational COVID-19 update report published on July 27, 2021.<\/em><\/figcaption><\/figure>\n\n\n\n ACTINIUM phishing attachments contain a first-stage payload that downloads and executes further payloads. There may be multiple subsequent \u201cstaging\u201d scripts before a more fully-featured malicious capability is deployed to a compromised device. It\u2019s unclear why there are often multiple stages; one hypothesis is that these staging VBScripts are easier to modify to incorporate new obfuscation or command-and-control (C2) changes. It\u2019s also possible that ACTINIUM deploys these scripts to provide some assurance that detection systems are less likely to detect their main capabilities. These initial staging capabilities vary; examples include heavily obfuscated VBScripts, obfuscated PowerShell commands, self-extracting archives, LNK files, or a combination of these. ACTINIUM frequently relies on scheduled tasks in these scripts to maintain persistence. More information on some of the capabilities analyzed by MSTIC is included in the \u201cMalware and capabilities\u201d section.<\/p>\n\n\n\n
ACTINIUM operational infrastructure and wordlists<\/h3>\n\n\n\n
MSTIC assesses that ACTINIUM maintains a large quantity and degree of variation of its operational infrastructure to evade detection. ACTINIUM\u2019s operational infrastructure consists of many domains and hosts to facilitate payload staging and C2. In a single 30-day snapshot, MSTIC saw ACTINIUM utilizing over 25 new unique domains and over 80 unique IP addresses, demonstrating that they frequently modify or alter their infrastructure.<\/p>\n\n\n\n
ACTINIUM domain name DNS records frequently change, perhaps not frequently enough to be considered \u201cfast-flux\u201d, but most DNS records for the domains change once a day on average. More than 70% of the recent 200+ ACTINIUM IP addresses are owned by ASN 197695 \u2013 REG.RU. Most ACTINIUM domains are also registered through the same owning company registrar (REG.RU). It is unclear why ACTINIUM appears to favor these legitimate providers. <\/p>\n\n\n\n
Malware authored by ACTINIUM often utilizes randomized subdomains for C2. These subdomains have included the use of an apparent English wordlist in their generation procedure, making the domains appear more legitimate while frustrating network defense tools that may rely on domain name blocks. A list of the most common words MSTIC has observed is included in the IOCs below. Within the last 30 days, MSTIC has observed randomized schemes being used increasingly for subdomain patterns instead of wordlists, indicating a possible shift in methodology. One example of this randomization is the effect of their PowerShell stager using the Get-Random<\/em> cmdlet:’<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nExamples of ACTINIUM subdomains encompassing both wordlists and randomized subdomains include:<\/p>\n\n\n\n
\n
- Jealousy[.]Jonas[.]artisola[.]ru<\/li>\n\n\n\n
- Deliberate[.]brontaga[.]ru<\/li>\n\n\n\n
- registration83[.]alteration[.]luck[.]mirotas[.]ru<\/li>\n\n\n\n
- 001912184[.]retarus[.]ru<\/li>\n\n\n\n
- 637753599292688334[.]jolotras[.]ru<\/li>\n<\/ul>\n\n\n\n
While the fast-flux nature of ACTINIUM infrastructure means that IP addresses are less useful IOCs, there is a clear preference for it on a specific ASN. Such preference may help defenders determine whether a domain may be more likely to be owned by ACTINIUM. A list of more recent IP addresses is included in the IOCs below.<\/p>\n\n\n\n
ACTINIUM appears to employ this same wordlist to obfuscate other aspects of their attacks. For example, as previously mentioned, ACTINIUM often maintains persistence by using scheduled tasks to run their malicious payloads. The payloads are often named with seemingly random words and phrases with valid (but irrelevant) extensions. The files are then executed using scripts with the \/E:VBScript<\/em> flag to specify the VBScript engine (and to effectively ignore the random file extension assigned to the payload) and the \/b<\/em> flag to mute alerts and errors. The following is an example:<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nThe terms deep-grounde<\/em>d, deerfield<\/em>, and defiance<\/em> above are used as the name of a scheduled task, a folder name, and a file name, respectively. Terms generated from the wordlist, like those in the example above, have been generated and used on multiple targets and are also used to generate subdomains as previously described. These generated terms may frustrate network defenders as the names of scheduled tasks, file names, and others are almost never the same for each target. We have compiled a list of the terms that MSTIC has observed in the IOCs provided below. Network defenders may be able to use the said list to determine whether a scheduled task, file, or domain is likely to warrant further investigation.<\/p>\n\n\n\n
Maintaining persistence and gathering intelligence<\/h3>\n\n\n\n
MSTIC assesses that the primary outcome of activities by ACTINIUM is persistent access to networks of perceived value for the purpose of intelligence collection. Despite seemingly wide deployment of malicious capabilities in the region, follow-on activities by the group occur in areas of discrete interest, indicating a possible review of targeting. Following initial access, MSTIC has observed ACTINIUM deploying tools such as \u201cPterodo\u201d to gain interactive access to target networks. In some cases, MSTIC has observed deployments of UltraVNC to enable a more interactive connection to a target. UltraVNC is a legitimate and fully-featured open-source remote desktop application that allows ACTINIUM to easily interact with a target host without relying on custom, malicious binaries that may be detected and removed by security products.<\/p>\n\n\n\n
Malware and capabilities<\/h3>\n\n\n\n
ACTINIUM employs a variety of malware families with assessed objectives to deploy remotely retrieved or embedded payloads before execution. MSTIC has analyzed several of these payloads and tracks the rapidly developing binaries as the following families: DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry, and PowerPunch. The PowerPunch malware family is an excellent example of an agile and evolving sequence of malicious code and is further explained below.<\/p>\n\n\n\n
The actor quickly develops new obfuscated and lightweight capabilities to deploy more advanced malware later. These are fast-moving targets with a high degree of variance. Analyzed payloads regularly place a strong emphasis on obfuscated VBScripts. As an attack, this is not a novel approach, yet it continues to prove successful as antivirus solutions must consistently adapt to keep pace with a very agile threat.<\/p>\n\n\n\n
The most feature-rich malware family we track relating to ACTINIUM activity is known widely within the industry as \u201cPterodo\u201d. In the following sections, we break down Pterodo further and review a binary called QuietSieve that is specifically geared toward file exfiltration and monitoring. <\/p>\n\n\n\n
PowerPunch<\/h4>\n\n\n\n
The droppers and downloader family names tend to be fast-moving targets due to the heavy use of obfuscation and simple functionality. For example, PowerPunch is executed from within PowerShell as a one-line command, encoded using Base64:<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nThese binaries also exhibit features that rely on data from the compromised host to inform encryption of the next stage. PowerPunch also provides an excellent example of this. In the following code snippet, the VolumeSerialNumber of the host serves as the basis for a multibyte XOR key. The key is applied to an executable payload downloaded directly from adversary infrastructure, allowing for an encryption key unique to the target host (highlighted variables names were changed for clarity).<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nUltimately, a next-stage executable is remotely retrieved and dropped to disk prior to execution.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nPterodo<\/h4>\n\n\n\n
MSTIC has also reviewed several variants of ACTINIUM\u2019s more fully-featured Pterodo malware. A couple of features play a direct role in this malware\u2019s ability to evade detection and thwart analysis: its use of a dynamic Windows function hashing algorithm to map necessary API components, and an \u201con-demand\u201d scheme for decrypting needed data and freeing allocated heap space when used.<\/p>\n\n\n\n
The function hashing algorithm is used to map a hash value of a given function name to its corresponding location in memory using a process known as Run-Time Dynamic Linking.<\/a> Pre-computed hashes are passed to the hashing algorithm alongside the Windows library containing the related function name. Each function name within the library is hashed; when a match is found, its address is saved.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nThe hashing algorithm itself has historically not been terribly complex, and when considering an example such as SHA-256 51b9e03db53b2d583f66e47af56bb0146630f8a175d4a439369045038d6d2a45,<\/a> it may be emulated using Python logic as follows:<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nWhen pre-computing these hashes over different Windows DLLs commonly used in schemes like this, it is possible to map out these hash values and the corresponding Windows function name using open-source tools like the MITRE malchive<\/a>.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nWe have seen this behavior in many different malware families before. The hashing algorithm has been consistent within those families, allowing analysis like this to scale forward. Unfortunately, in Pterodo\u2019s case, there is far too much drift in the algorithm for it to be used reliably. The algorithm has been different in many of the samples we\u2019ve reviewed. Additionally, the application of this technique seems to vary among samples. Some samples have been observed to use it for most Windows function calls, while others have used it very sparingly.<\/p>\n\n\n\n
However, Windows libraries need to be loaded before function hashes are computed. The names of these libraries and other strings required by the malware are recovered using an \u201con-demand\u201d scheme that decrypts the data, uses it, and immediately frees the associated heap space once it is no longer needed.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nAs seen in the screenshot above, data is passed into a decryption function before being used in a call to GetModuleHandleA<\/em>. Before the hashing routine uses the module handle, the decrypted string representing the function name has its associated heap space freed and may be later overwritten. However, the reconstruction of this data is straightforward within the two core decryption algorithms we have observed. The first one relies on an encrypted blob whose first value is interpreted as the size of the decrypted data in DWORD (four-byte) chunks.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nThis data is decrypted four bytes at a time, with the last byte being the encrypted content. Each encrypted byte is XOR\u2019d using a multibyte key sequence unique to each sample reviewed. In our example, the ASCII key sequence 39d84sdfjh<\/em> is applied to the content above to produce the module name Kernel32<\/em>.<\/p>\n\n\n\n
A slight deviation from this approach was also uncovered in samples such as SHA-256 2042a2feb4d9f54d65d7579a0afba9ee1c6d22e29127991fbf34ea3da1659904,<\/a> where the decryption algorithm is passed data representing two WORD values: one mapping to the offset of the encrypted content within the malware and another representing the length. These parameters are recovered, and a much longer multibyte XOR sequence is applied to the encrypted content after the starting index is computed.<\/p>\n\n\n\n
Application of either approach allows us to gain a greater level of analysis into strings used by the malware. Continuing with the approach used by the previously cited example, we can apply the multibyte XOR key over the entire encrypted data space, resulting in the following content:<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nPterodo has been observed to be a constantly evolving malware family with a range of capabilities intended to make analysis more difficult. By applying our understanding, we can expose more malware elements to further advance mitigation and detection efforts.<\/p>\n\n\n\n
QuietSieve<\/h4>\n\n\n\n
The QuietSieve malware family refers to a series of heavily-obfuscated .NET binaries specifically designed to steal information from the target host. Before enumerating target files on the host, QuietSieve first checks for connectivity by sending a test ping to 8.8.8.8 (Google public DNS). The creation of the buffer for the ICMP request is done manually within QuietSieve and contains all null values for the 32-byte data portion of the ICMP packet. If this check succeeds, a randomly-generated alphanumeric prefix is created and combined with the callback domain as a subdomain before an initial request is made over HTTPS.<\/p>\n\n\n\n
If the connection is successful, the following file name extensions are searched for within removable, fixed, or networked drives: doc<\/em>, docx<\/em>, xls<\/em>, rtf<\/em>, odt<\/em>, txt<\/em>, jpg<\/em>, pdf<\/em>, rar<\/em>, zip<\/em>, and 7z<\/em>. Candidate files are queued up for upload. They are also inventoried via a specific MD5 hash value computed based on attributes of the target file and compromised host, such as the volume serial number, file size, and last write timestamp assigned to the file. Computed hashes are logged to an inventory log file that serves as a reference point checked by the malware to avoid duplicate exfiltration. QuietSieve will also take screenshots of the compromised host approximately every five minutes and save them in the user\u2019s local Application Data<\/em> folder under Temp\\SymbolSourceSymbols\\icons<\/em> or Temp\\ModeAuto\\icons<\/em> using the format yyyy-MM-dd-HH-mm<\/em> along with the jpg<\/em> file extension.<\/p>\n\n\n\n
<\/p>\n\n\n\n
<\/figure>\n\n\n\nWhile the QuietSieve malware family is primarily geared towards the exfiltration of data from the compromised host, it can also receive and execute a remote payload from the operator. These payloads are written to the user\u2019s Application Data<\/em> folder with a random alphanumeric name and are executed in a hidden window.<\/p>\n\n\n\n
Microsoft will continue to monitor ACTINIUM activity and implement protections for our customers.<\/p>\n\n\n\n
Indicators of compromise (IOCs)<\/h2>\n\n\n\n
The following IOCs were observed during our investigation. We encourage our customers to investigate these indicators in their environments and implement detections and protections to identify past related activity and prevent future attacks against their systems.<\/p>\n\n\n\n
Analyst note on ACTINIUM IOCs: <\/u><\/em>ACTINIUM registers and administers a large amount of infrastructure. It\u2019s not always possible to accurately determine what malicious component connects to which C2 infrastructure. MSTIC has observed cases where the same C2 is used for different components (for example, corolain[.]ru).<\/p>\n\n\n\n
Example malware samples and associated infrastructure<\/h3>\n\n\n\n
QuietSieve<\/h4>\n\n\n\n