2022-05-31

Russian Government Targeted by Unknown APT Group

Level: 
Tactical
  |  Source: 
MalwareBytes
Government
Share:

Russian Government Targeted by Unknown APT Group

Industry: Government | Level: Tactical | Source: MalwareBytes

Malwarebytes Labs has identified several phishing campaigns coinciding with the start of the Ukraine invasion by an unknown APT group, targeting Russian government entities since late February 2022. While attribution is undetermined, early analysis and indicators suggest a China-based threat group. The objective of the attacks has been to install a remote access trojan (RAT). Various themes have been used in the campaign including masquerading as an "interactive map of Ukraine", a patch for Log4j, software, and a job posting for Saudi Aramco. The emails contain an attachment for a malicious document, executable file, or TAR file. The infection chain for the document themed from a fictitious Saudi Aramco job posting uses a macro dropping a VBS script to download a DLL payload executed with rundll32 containing code to communicate with the attacker's command and control server. Whilst only the payload from the Saudi Aramco campaign was analyzed, Malwarebytes identified the malware used in all the campaigns as all the same.

Anvilogic Scenario:

  • Malicious Document Delivering Malware

Anvilogic Use Cases:

  • Malicious Document Execution
  • Compressed File Execution
  • Executable File Written to Disk
  • Wscript/Cscript Execution
  • Rundll32 Command Line

Get trending threats published weekly by the Anvilogic team.

Sign Up Now