Saturday 1 October 2022

"Analysis of cyberweapons" course


I got requests from my colleagues from the US and EU universities to come up with the "Analysis of cyberweapons" course in English. In the first video, I start the series devoted to the analysis of the Russian cyberweapons used in the Russia-Ukraine war. 

The lessons will be published on my Patreon (https://www.patreon.com/alexanderadamov) and YouTube channel (https://www.youtube.com/c/MalwareResearchAcademy)

For Ukrainians:
Posted by at No comments:
Labels: , , , , ,

Monday 4 April 2022

Russian SaintBear Group Attacked Ukrainian Government Agencies Using GraphSteel & GrimPlant malware

 

Summary


  • Name: ‘Заборгованість по зарплаті.xls’

  • Discovered in March 2022

  • Was used in attacks against Ukrainian government agencies

  • Used to download GraphSteel and GrimPlant (a.k.a. Elephant) malware

  • Spreads via phishing emails as ‘.xls’ file with malicious VisualBasic script

  • ‘.xls’ file contains the encoded payload

  • Extracted file has PE64 format and written in Golang, downloads one file from the remote server

  • The downloaded file is PE64 and written in Golang. It downloads GraphSteel and GrimPlant malware.

  • The attack has been attributed to UAC-0056 also known as SaintBear, UNC2589, and TA471 which is known to attack Ukraine and Georgia since 2021. 
Read more »
Posted by at No comments:
Labels: , , ,

Thursday 17 March 2022

Analysis of CaddyWiper

 

Summary


  • Name: CaddyWiper

  • Discovered in March 2022

  • Was used in a targeted attack in Ukraine

  • Deployed via Microsoft Active Directory GPO

  • Corrupts files and disk partitions

  • PE32 sample written in C++

  • Compiled on the same day when it was deployed on targeted systems in Ukraine

by Denis Popov
Read more »
Posted by at No comments:

Wednesday 26 January 2022

Analysis of WhisperGate

 

Summary of the attack

  • Name: WhisperGate

  • Discovered in January 2022

  • Used in a targeted attack against the Ukrainian government websites on the 14th of January, 2022

  • Overwrites the contents of files with the fixed number of bytes

  • Rewrites MBR, corrupts victims’ files, downloads and drops its own files

  • Corrupted files have a random 4-byte extension

  • Comes with 2 stages, PE64 written in C++ and .NET application with fake digital signatures

  • The third stage is .NET DLL, which is downloaded at runtime


                                                                                                by Denis Popov and Alexander Adamov
Read more »
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)