Tuesday 2 May 2017

Targeted attack against the Ukrainian military

One more targeted attack against Ukraine that used spear phishing to deliver the DarkTrack backdoor through a fake prescription of the Minister of Defense of Ukraine. The target is CERT in the military domain.




The letter forces a receiver to download the prescription by the link until April 13, 2017.

The domain 'fex.net' in the link has been actively used to distribute malware:


The downloaded file 'розпорядження Полторак.docx.exe' is an obfuscated .NET application (MD5: 01fb11b245a6a2525da77aebd2879dcf). It copies itself as:
  • c:\Documents and Settings\<USER>\Templates\winlogon.exe
And drops the clean Word document:
  • c:\Documents and Settings\<USER>\Local Settings\Temp\Docum.doc (MD5: b77f006667dd0a68de9c8ea30f2c80fe)
First, it executes 'C:\WINDOWS\system32\svchost.exe' and injects the Darktrack in the 'svchost.exe' process.

Then, it opens clean 'Docum.doc' to take a user's attention away.
The following message is shown on execution:


Then, it opens the embedded document:


The malicious process injects the backdoor's code into the system 'svchost.exe': 




The backdoor is the Darktrack remote administration tool.

The client connects to the C&C's 1515 port.


The Darktrack client uses the proxy service 'hopto.org' to connect to the attacker's C&C.
gordon6.hopto.org has been resolved to the following IPs:

95.46.151.68
62.76.106.236
92.38.37.15 

All of the IPs are located at one place in Russia.



Network IoCs:


gordon6.hopto.org
fex.net
95.46.151.68
62.76.106.236
92.38.37.15 

No comments:

Post a Comment