Monday 4 April 2022

Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware



  • Name: ‘Заборгованість по зарплаті.xls’

  • Discovered in March 2022

  • Was used in attacks against Ukrainian government agencies

  • Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware

  • Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script

  • ‘.xls’ file contains the encoded payload

  • Extracted file has PE64 format and written in Golang, downloads one file from the remote server

  • The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.

  • The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021. 


On the 28th of March 2022, the Ukrainian agency CERT-UA published an article with information about the new malware that was used to attack government state agencies. This campaign doesn’t match with any previous attacks since Russia invaded Ukraine. Two threats called GraphSteel and GrimPland, linked to the UAC-0056 group, come to the victim’s machines via email attachments. The messages contain ‘Заборгованість по зарплаті.xls’(eng:’Salary arrears’) file, that will execute a malicious Visual Basic script as soon as the victim will open this file. This script will extract a PE64 file which will download GraphSteel and GrimPlant (a.k.a. Elephant ) malware.

Technical Details


At first sight, the spreadsheet contains valid data with the amount of salaries arrears in the Ukrainian regions on ‘21.02.2022’. It contains multiple sheets that can be edited because the file is not protected with the password (which is often used in malicious documents). 

We can take a quick look if the file contains any macros with the ‘olevba’ tool.

The script contains ‘’ and ‘’ URLs, but during execution, it doesn't connect to them, they are stored in comments.

This site is a service for selling VBA scripts.

It has some free solutions, one of them is a file loader and file extractor from the workbook and it completely matches with the script, which was used to unpack the malware downloader, even comments were not deleted. This approach looks like this attack wasn’t prepared in advance, but was carried out quickly.

Malicious VisualBasic script execution

Once a victim opens a workbook, the VisualBasic script will be executed. This script can be obtained in an easy way, just open the VBA panel in Microsoft Excel. One of the sheets contains an encoded payload in “AB37” range.

To extract the payload script contains the ‘SaveAs()’ function which calls the decoding function and saves the file to the ‘%Temp’ folder. 

The decoding function ‘Range2Text’ extracts data from range, specified in ‘ОбновлениеБазы()’ function.

After the payload is extracted it will be executed.

Besides the file extraction function, this script has functions to load files in the worksheet. The function ‘LoadFileData’ reads the file and converts its data into an array with the ‘FileToArray’ function. Then it obtains the range in the worksheet where it was saved and changes the size of the cell, where it must be saved. This range can be further used in the extraction function.

The code of Base-Update.exe is embedded into the hidden tab.


The decoded file (Base-Update.exe) is a PE64 file written in Golang and known as Elephant Downloader or GoDownloader. It has an invalid Microsoft certificate attached.

Once executed, this file connects to the ‘' IP address in the United States to download and drop another file ‘java-sdk.exe’ in the ‘C:\Users\User\.java-sdk’ folder. 

Dropped file is also a PE64 file and written in Golang, but it doesn’t have any digital signatures. It is a Trojan-Downloader too.

This executable establishes a connection to the remote servers and starts downloading GraphSteel and GrimPlant malware.


The Ukrainian government has become a major target since Russia invaded Ukraine. This time malicious software comes via email attachments with the ‘.xls’ file. This file contains the VisualBasic script, which was copied from the website with open-source VB scripts. The borrowed script decodes the payload (PE64) saved inside the workbook. The dropped file downloads the trojan-downloader that downloads two more files: GraphSteel and GrimPlant malware.



File name



Заборгованість по зарплаті.xls


Email attachment













Network indicators







MITRE attack techniques




No comments:

Post a Comment