US Cyber Command has disclosed 20 new strains of malware among the numerous software nasties and cyberattacks being used against Ukrainian targets over the last few months.
In an alert this week, the Pentagon's cyberspace wing made public indicators of compromise (IOC) associated with various malware strains that were found in Ukrainian networks by the country's security service.
"Our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cyber security, just as we are sharing with them," US Cyber Command said in a statement on Wednesday.
The Feds' alert comes as multiple private security researchers this week issued their own threat research related to the Russian invasion.
Meanwhile, we're also told that Cisco Talos' security researchers in March discovered a "fairly uncommon" type of malware targeting a "large software development company" whose software is used by several Ukrainian state organizations.
Talos believes Russian state-sponsored criminals are behind this campaign, which uses a modified version of the GoMet open-source backdoor to gain persistent access to the software firm's networks.
Evacuation lures used as phish bait
Mandiant's latest research on state-sponsored cyberspies provides threat intel on two criminal groups, the first of which it tracks as UNC1151, and links to the Belarusian government, but with the caveat: "We cannot rule out Russian contributions to either UNC1151 or Ghostwriter activities." This gang also provides technical support to the pro-Russian Ghostwriter group for its information operations campaigns.
Since the war began, UNC1151 has targeted Ukrainian and Polish organizations, and its most recent attempts use a modified version of MicroBackdoor and a lure that translates to: "What to do? During artillery shelling by volley fire systems" to spy on victims in Ukraine.
MicroBackdoor is a client backdoor that's available on GitHub. Mandiant notes that the criminals are using a modified version, which allows them to take screenshots of the victims' devices — this functionality does not exist in the GitHub version.
Using a compromised Ukrainian account, UNC1151 sent out these phishing emails with a ZIP file attached that contained the malicious payload. After tricking victims into opening the file, the victim's computer downloads the backdoor malware, which can upload and download files, execute commands, update itself, and take screenshots. MicroBackdoor also supports HTTP, Socks4 and Socks5 proxies to route traffic.
Mandiant's research also details a second espionage group, UNC2589, that the security firm believes "to act in support of Russian government" interests and now blamed for the WhisperGate data wiper attacks in January (this data wiping malware has also been linked to Ghostwriter and/or another Russian- or Belarusian-government back gang of miscreants. Suffice to say it's a pro-Kremlin group).
Threat intel firm Mandiant, which is being acquired by Google, published research detailing network intrusion attempts by cyberespionage gangs connected to the Belarusian government and the Kremlin.
These campaigns targeted Ukrainian organizations in February and March, and used phony public safety documents as lures to get intended victims to open spear phishing attachments.