VB2017: Battlefield Ukraine

This summer, Ukraine unwillingly became the battlefield of the hacker group(s) with the supposedly Russian roots and the antivirus industry. This is not the first time when Ukraine attracts attention of cyber security experts. Suffice it to recall in this regard the several waves of cyber attacks against critical infrastructure of Ukraine using the BlackEnergy [1] and Industroyer [2,3] industrial malware supposedly created by a Russian hacker group.

This summer, we noticed the supply-chain attack through the popular in Ukraine M.E.Doc accounting software ended with the splash of NotPetya ransomware-wiper [4]. During the M.E.Doc campaign, we discovered the attacks run with the help of several specially crafted ransomware: XData (AES-NI clone) [5], WannaCry.NET (WannaCry clone) [6], and NotPetya (Petya&Misha&WannaCry clone). It is worth mentioning, that the first notable infection through the trojanized MEDoc [7] with XData ransomware happened in the middle of May - more than a month before NotPetya was launched.

Now, we are seeing another ongoing campaign against Ukrainian organizations that follows the similar scenario. First, the attackers hacked the web server of the Ukrainian producer of another accounting software [8], to upload Chthonic (Zeus-based) backdoor seen in June in the nation-state attack against Ukrainian government institution [9] and PSCrypt-2 - a clone of GlobeImposter (Globe-based) ransomware [10]. Then, they spearphished the targets to make them download and install one of these options.

We continue working with the victims to find out more information about the attack vectors.

In the talk, we’ll show the timeline and highlight the patterns behind these attacks in:

• The attack vectors
• The types of used malware in the context of previous nation-state attacks
• Ransomware design style
• C&C domains
• Peculiarities in the language use

Finally, we’ll end up with our hypotheses supposing who stays behind the summer attacks in Ukraine.

UPD: The slides from VB2017 are available by the link: https://goo.gl/fKR9hK

[1] https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/

[2] https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

[3] https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

[4] https://nioguard.blogspot.com/2017/06/eternalpetya-ransomware-analysis.html

[5] https://nioguard.blogspot.com/2017/06/xdata-ransomware-attacked-users-in.html

[6] https://nioguard.blogspot.com/2017/06/one-more-attack-to-ukraine-via-medoc.html

[7] https://nioguard.blogspot.com/2017/07/comparing-medoc-backdoors-in-176-186.html

[8] https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html

[9] https://nioguard.blogspot.com/2017/06/chthonic-trojan-is-back-in-nation-state.html

[10] https://www.bleepingcomputer.com/news/security/before-notpetya-there-was-another-ransomware-that-targeted-ukraine-last-week/