- Youtube channel (UA): https://www.youtube.com/channel/UCqquOw2m2QF_EjcyxVwIYyQ
Saturday 1 October 2022
"Analysis of cyberweapons" course
- Youtube channel (UA): https://www.youtube.com/channel/UCqquOw2m2QF_EjcyxVwIYyQ
Monday 4 April 2022
Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware
Summary
Name: ‘Заборгованість по зарплаті.xls’
Discovered in March 2022
Was used in attacks against Ukrainian government agencies
Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware
Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script
‘.xls’ file contains the encoded payload
Extracted file has PE64 format and written in Golang, downloads one file from the remote server
The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.
The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021.
Thursday 17 March 2022
Analysis of CaddyWiper
Summary
Name: CaddyWiper
Discovered in March 2022
Was used in a targeted attack in Ukraine
Deployed via Microsoft Active Directory GPO
Corrupts files and disk partitions
PE32 sample written in C++
Compiled on the same day when it was deployed on targeted systems in Ukraine
Wednesday 26 January 2022
Analysis of WhisperGate
Summary of the attack
Name: WhisperGate
Discovered in January 2022
Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022
Overwrites the contents of files with the fixed number of bytes
Rewrites MBR, corrupts victims’ files, downloads and drops its own files
Corrupted files have a random 4-byte extension
Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures
The third stage is .NET DLL, which is downloaded at runtime