Phishers Target European Nations Aiding UkrainiansTTPs Used Resemble Those of UNC1151 aka TA445 or Ghostwriter
A phishing campaign, likely carried out by a state-sponsored threat actor, is targeting European government personnel who are aiding Ukrainian refugees. The techniques, tactics and procedures used in the campaign resemble those of TA445, aka UNC1151 or Ghostwriter, according to cybersecurity researchers.
On Feb. 25 the Ukrainian Computer Emergency Response Team - or CERT-UA - issued a warning about the threat actor. The agency, in a Facebook post, says that the UNC115 group consists of officers of the Ministry of Defense of the Republic of Belarus and has targeted people in Ukraine and Poland, as well as Belarus.
The attackers "possibly compromised" email accounts of Ukrainian armed service members to deliver these phishing mails, the researchers at cybersecurity firm Proofpoint say.
The targets, they add, were all associated with European governmental entities, of varied professions, with expertise related to critical sectors. "There was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe," the researchers say.
The Proofpoint researchers, who call this campaign "Asylum Ambuscade," found an email originating from a ukr[.]net email address. The subject of the email is: "IN ACCORDANCE WITH THE DECISION OF THE EMERGENCY MEETING OF THE SECURITY COUNCIL OF UKRAINE DATED 24.02.2022."
This was a timely lure, as the NATO Security Council had, on Feb. 23, discussed a "kill list" targeting Ukrainians, the researchers say. The timeline of the campaign also matches CERT-UA's alert, raising speculation that the threat actor involved in this campaign is the same as the one mentioned by CERT-UA.
The email, like several other campaigns seen in the past from UNC1151, contained a macro-enabled XLS file titled "list of persons.xlsx," which was used to deliver SunSeed malware.
The malware is developed using Lua scripting language. It is a powerful, efficient, lightweight, embeddable scripting language that supports procedural programming, object-oriented programming, functional programming, data-driven programming and data description. Lua is dynamically typed, runs by interpreting bytecode with a register-based virtual machine and has automatic memory management with incremental garbage collection, making it ideal for configuration, scripting and rapid prototyping, and probably best-suited for developing a malware payload too.
A step-by-step process of the campaign is pictured below:
TTPs Overlap With Those of Ghostwriter
Although Proofpoint's researchers have traced the trail of the Asylum Ambuscade campaign to CERT-UA's description of Ghostwriter, they have not established a concrete link between the two.
"Several temporal and anecdotal indicators exist which suggest that this activity aligns with reported campaigns by the threat actor TA445/UNC1151/Ghostwriter. However, Proofpoint has not yet observed concrete technical overlaps which would allow us to definitively attribute this campaign to this actor," the researchers say.
Another reason for not confirming the attribution is that since the beginning of the ongoing hybrid conflict, the pace at which cyber operations are taking place has accelerated. This has "reduced the amount of time that defenders have to answer deeper questions around attribution and historical correlation to known nation-state operators. [But] the possibility of exploiting intelligence around refugee movements in Europe for disinformation purposes is a proven part of Russian and Belarussian-state techniques." the researchers say.
Proofpoint has listed the indicators of compromise in its report, which provides additional information about the IP, files, directory path, URL of the command-and-control server used and YARA signatures to help administrators defend their systems.
Additional Domains Found
CERT-UA, in an earlier post, listed the domains 'i[.]ua-passport[.]space' and 'id[.]bigmir[.]space' as being used in UNC1151's phishing campaign.
But in an analysis of the domains by cybersecurity firm Secureworks, its researchers found additional domains linked to phishing attacks targeting the Ukrainian government and military personnel and Polish-speaking individuals.
"[Our] researchers analyzed the two domains listed in the Facebook post and identified seven additional domains based on WHOIS and passive DNS data. This cluster uses the '.space' top-level domain (TLD) and shares a common registrant 'Apolena Zorka'," Secureworks says in its blog.
The researchers say that this cluster was registered from a Public Domain Registry Ltd. and is primarily hosted behind a Cloudflare infrastructure.
Secureworks also identified another set of domains with similar traits, but this cluster used the "Radka Dominika" registrant and included similar themes. It used Polish words for verification (weryfikacja) and validation (walidacja) in several generic email validation-themed domains, the researchers say.
The following is a list of all 17 domains in order of their date of creation:
The researchers say that an additional domain name, "ron-mil[.]space," has been found spoofing the legitimate domain of the Polish Ministry of National Defense - "ron[.]mil[.]pl".
Secureworks has named the campaign actor "Moonscape" as the additional domains found "aligns with a small set of common themes typical of a MOONSCAPE infrastructure," the researchers say.
Rafe Pilling, senior security researcher at Secureworks' Counter Threat Unit, tells Information Security Media Group that "based on reporting from other vendors [Proofpoint and Mandiant], Moonscape strongly overlaps with, or is the same as, UNC1511/Ghostwriter."
Pilling also tells ISMG that the threat actors' activities are ongoing. "We continue to see Moonscape creating phishing domains, as recently as today, and assess their intelligence collection requirements persist," he says.