Monday 4 April 2022

Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware

 

Summary


  • Name: ‘Заборгованість по зарплаті.xls’

  • Discovered in March 2022

  • Was used in attacks against Ukrainian government agencies

  • Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware

  • Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script

  • ‘.xls’ file contains the encoded payload

  • Extracted file has PE64 format and written in Golang, downloads one file from the remote server

  • The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.

  • The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021. 

Introduction


On the 28th of March 2022, the Ukrainian agency CERT-UA published an article with information about the new malware that was used to attack government state agencies. This campaign doesn’t match with any previous attacks since Russia invaded Ukraine. Two threats called GraphSteel and GrimPland, linked to the UAC-0056 group, come to the victim’s machines via email attachments. The messages contain ‘Заборгованість по зарплаті.xls’(eng:’Salary arrears’) file, that will execute a malicious Visual Basic script as soon as the victim will open this file. This script will extract a PE64 file which will download GraphSteel and GrimPlant (a.k.a. Elephant ) malware.


Technical Details

Overview

At first sight, the spreadsheet contains valid data with the amount of salaries arrears in the Ukrainian regions on ‘21.02.2022’. It contains multiple sheets that can be edited because the file is not protected with the password (which is often used in malicious documents). 


We can take a quick look if the file contains any macros with the ‘olevba’ tool.



The script contains ‘http://ExcelVBA.ru/’ and ‘http://ExcelVBA.ru/payments’ URLs, but during execution, it doesn't connect to them, they are stored in comments.



This site is a service for selling VBA scripts.



It has some free solutions, one of them is a file loader and file extractor from the workbook and it completely matches with the script, which was used to unpack the malware downloader, even comments were not deleted. This approach looks like this attack wasn’t prepared in advance, but was carried out quickly.

Malicious VisualBasic script execution

Once a victim opens a workbook, the VisualBasic script will be executed. This script can be obtained in an easy way, just open the VBA panel in Microsoft Excel. One of the sheets contains an encoded payload in “AB37” range.



To extract the payload script contains the ‘SaveAs()’ function which calls the decoding function and saves the file to the ‘%Temp’ folder. 



The decoding function ‘Range2Text’ extracts data from range, specified in ‘ОбновлениеБазы()’ function.



After the payload is extracted it will be executed.



Besides the file extraction function, this script has functions to load files in the worksheet. The function ‘LoadFileData’ reads the file and converts its data into an array with the ‘FileToArray’ function. Then it obtains the range in the worksheet where it was saved and changes the size of the cell, where it must be saved. This range can be further used in the extraction function.



The code of Base-Update.exe is embedded into the hidden tab.


Payload

The decoded file (Base-Update.exe) is a PE64 file written in Golang and known as Elephant Downloader or GoDownloader. It has an invalid Microsoft certificate attached.



Once executed, this file connects to the ‘194.31.98.124:443' IP address in the United States to download and drop another file ‘java-sdk.exe’ in the ‘C:\Users\User\.java-sdk’ folder. 



Dropped file is also a PE64 file and written in Golang, but it doesn’t have any digital signatures. It is a Trojan-Downloader too.



This executable establishes a connection to the remote servers and starts downloading GraphSteel and GrimPlant malware.




Conclusion

The Ukrainian government has become a major target since Russia invaded Ukraine. This time malicious software comes via email attachments with the ‘.xls’ file. This file contains the VisualBasic script, which was copied from the website with open-source VB scripts. The borrowed script decodes the payload (PE64) saved inside the workbook. The dropped file downloads the trojan-downloader that downloads two more files: GraphSteel and GrimPlant malware.


IoCs 

Files


File name

SHA256

Description

Заборгованість по зарплаті.xls

c1afb561cd5363ac5826ce7a72f0055b400b86bd7524da43474c94bc480d7eff

Email attachment

Base-Update.exe

9e9fa8b3b0a59762b429853a36674608df1fa7d7f7140c8fccd7c1946070995a

GoDownloader

java-sdk.exe

8ffe7f2eeb0cbfbe158b77bbff3e0055d2ef7138f481b4fac8ade6bfb9b2b0a1

GoDownloader

oracle-java.exe

99a2b79a4231806d4979aa017ff7e8b804d32bfe9dcc0958d403dfe06bdd0532

GrimPlant

microsoft-cortana.exe

c83d8b36402639ea3f1ad5d48edc1a22005923aee1c1826afabe27cb3989baa3

GraphSteel


Network indicators


IP

https://194[.]31.98.124:443/i

https://194[.]31.98.124:443/p

https://194[.]31.98.124:443/m

ws://194[.]31.98.124:443/c

194[.]31.98.124



MITRE attack techniques




References

  1. https://cert.gov.ua/article/38374 

  2. https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/

No comments:

Post a Comment