Check Point Research (CPR) sees threat groups worldwide using Russia/Ukraine-themed documents to spread malware and lure victims into cyber espionage. Depending on the targets and region, attackers are using decoys ranging from official-looking documents, to news articles and job postings. CPR believes the motivation behind these recent campaigns is cyber espionage, to steal sensitive information from governments, banks and energy companies. The threat groups and their victims are not concentrated to one region, but span worldwide, including Latin America, Middle East and Asia.
In a new publication, CPR profiles three APT groups, named El Machete, Lyceum and Sidewinder, who were recently caught conducting the spear-phishing campaigns on victims in five countries. The table below summarizes each APT group’s origin, target sector and target countries.
APT Name |
APT Origin |
Targeted Sector |
Targeted Countries |
El Machete |
Spanish-speaking Country |
Financial, Governmental |
Nicaragua, Venezuela |
Lyceum |
The Islamic Republic of Iran |
Energy |
Israel, Saudi Arabia |
SideWinder |
Possibly India |
Unknown |
Pakistan |
Malware Capabilities
CPR studied the malware laced by each of the three APT groups, specifically for these cyber espionage activities. Capabilities include:
Keylogging: steals everything you enter using the keyboard
Credential collection: collects credentials stored in Chrome and Firefox browsers
File collection: collects information about the files on each drive and collect file names and file sizes, allowing theft of specific files
Screenshotting
Clipboard data collection
Command execution
Attack Methodologies
El Machete
Spear-phishing email with text about Ukraine
Attached Word document with article about Ukraine
Malicious macro inside the document drops a sequence of files
Malware downloaded to the PC
Lyceum
Email with content about war crimes in Ukraine and link to malicious document hosted on a website
The document executes a macro code when the document is closed
Exe file is saved to the PC
Next time you restart your PC the malware runs
SideWinder
Malicious document is opened by the victim
When it’s opened, the document retrieves a remote template from an actor-controlled server
The external template that’s downloaded is an RTF file, that exploits the CVE-2017-11882 vulnerability
Malware on the PC of the victim
Russia/Ukraine-themed Documents become Lure of Choice
El Machete was spotted sending spear-phishing emails to financial organizations in Nicaragua, with an attached Word document titled “Dark plans of the neo-Nazi regime in Ukraine.” The document contained an article written and published by Alexander Khokholikov, the Russian Ambassador to Nicaragua that discussed the Russo-Ukrainian conflict from the perspective of the Kremlin.
Figure 1 - Lure document that contains an article about the Russia-Ukraine conflict, sent by El Machete APT to Nicaraguan financial institutions.
Lyceum
In mid-March, an Israeli energy company received an email from the address inews-reporter@protonmail[.]com with the subject “Russian war crimes in Ukraine.” The email contained a few pictures taken from public media sources and contained a link to an article hosted on the news-spot[.]live domain. The link in the email leads to a document which contains the article “Researchers gather evidence of possible Russian war crimes in Ukraine” published by The Guardian. The same domain hosts a few more malicious documents related Russia as well as the Russia-Ukraine war, such as a copy of an article by The Atlantic Council from 2020 on Russian nuclear weapons, and a job posting for an “Extraction / Protective Agent” agent in Ukraine.
Figure 2. Lure email utilizing the Russia-Ukraine conflict theme, sent by Lyceum group
Figure 3 – Russia – Ukraine war related decoy documents used by the Lyceum APT group
SideWinder:
SideWinder’s malicious document, which also exploits the Russia-Ukraine war, was uploaded to VirusTotal (VT) in mid-March. Judging by its content, the intended targets are Pakistani entities; the bait document contains the document of the National Institute of Maritime Affairs of Bahria University in Islamabad, and is titled “Focused talk on Russian Ukraine Conflict Impact on Pakistan.” This malicious document uses remote template injection. When it’s opened, the document retrieves a remote template from an actor-controlled server.
Figure 4 - Decoy document related to Russia-Ukraine war, by SideWinder APT
Quote: Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:
“Right now, we are seeing a variety of APT campaigns that utilizes the current war for malware distribution. The campaigns are highly targeted and sophisticated, focusing on victims in the government, financial and energy sectors. In our newest report, we profile and bring examples from three different APT groups, who all originate in different parts of the world, that we caught orchestrating these spear-phishing campaigns. We studied the malware involved closely, and found capabilities that span keylogging, screenshotting and more. It is my strong belief that these campaigns are designed with the core motivation of cyber espionage. Our findings reveal a clear trend, that collateral around the war between Russia and Ukraine has become a lure of choice for threat groups world-wide. I strongly recommend governments, banks and energy companies to reiterate cyber awareness and education to employees, and to implement cyber security solutions that protect the network on all levels.”
Latest Overall Cyber Attack Numbers on Ukraine, Russia and NATO Countries
Recently, Check Point Research (CPR) released an update on cyber-attack trends throughout the current Russia-Ukraine war. One month after the war started on 24th February 2022, both Russia and Ukraine saw increases in cyber-attacks of 10% and 17% respectively. CPR has also observed a 16% increase in cyber-attacks globally throughout the current conflict. CPR shared cyber-attack data for NATO countries, regions and more here.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.