Suspected UNC 1151 Attacks as Ukraine Conflict Continues
April 1, 2022
Topics
- phishing campaign
- nationstate
April 1, 2022
Topics
UNC1151 is a suspected state-sponsored hacking group with an Eastern European background. Their first known activity was linked to the Ghostwriter attacks that were reported by Mandiant in 2020. The "Ghostwriter" campaign, which began around March 2017, targeted countries such as Lithuania, Latvia, and Poland, where attackers spread content with anti-NATO stances, often using fake email accounts to spread content, including fake letters from military officials.
In February 2022, following the outbreak of the Russian-Ukrainian conflict, the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Agency for Special Communications and Information Protection of Ukraine (SSCIP Ukraine) issued an email alert for extensive Phishing campaigns by UNC1151 targeting private email accounts of members of the Ukrainian armed forces.
A sample file in relation to this incident was obtained by CERT-UA and as named довідка.zip, "довідка" means "certificate" in Ukrainian, and inside of the compressed package is dovidka.chm, the full name of chm is Compiled Help Manual, which is Microsoft's new generation of help file format, using HTML as the source, the help content is compiled and stored in a database-like form, that is also compiled and saved in a compressed HTML format. When we double-click this file, Microsoft by default uses the HTML helper to open and display the relevant content.
“file.htm” was found to contain two pieces of code, one, a JS code, which is used to display the bait content. The other was disguised VBS code which ultimately execute a MicroBackDoor Malware. Capabilities of this malware include conventional remote-control functions such as obtaining local information, executing programs, rebounding shells, uploading and downloading files, etc.
With the ongoing situation between Ukraine and Russia we can be sure that there will be an increase of attacks by APT groups using news or issues around the Ukraine-Russia situation as bait for their targets. Some steps your organization can take to minimize attacks from this organization are:
Files
MD5
62b8db1d541775fba717fc76b2e89353
308a239e5ae12e15d21dccb98a490e31
d7e5b7119f8b17a4aa4a3544eceaf8c4
75ca758eb0429fbcdb78d76566ad2ae7
cc859282c0541d0d1feb37c7d7a2a4cf
f6b96b7f0dad624a60b02abe068de7bd
023a858bd0fe922a7275653206ea2d17
98905083d8e1701731f998bcde4cea58
Network Indicators
Reference link