New findings show that a threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.
Sandworm is a destructive Russian threat group best known for carrying out attacks such as the 2015 and 2016 targeting of the Ukrainian electrical grid and 2017’s NotPetya attacks. It’s confirmed to be Unit 74455 of Russia’s GRU military intelligence agency.
The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers, and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.
Russia’s invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.
In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.
The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.
“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” Recorded Future said.
The attacks entail the fraudulent domains hosting a web page about “Odesa Regional Military Administration.” At the same time, an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.
As the name goes, HTML smuggling is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.
Recorded Future also said it identified similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.
“It is currently unknown why there is a similarity overlap between the two threat actor groups’ use of this ISO delivery functionality,” the researchers said. “One hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase.”
Embedded within the ISO file, created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both the Colibri loader and Warzone RAT to the target machine.
The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request monetary compensation and fuel discounts – to conceal the malicious operations.