GHOSTWRITER / UNC1151 ADOPTS MICROBACKDOOR VARIANTS IN CYBER OPERATIONS AGAINST UKRAINE

APT + malware + Intelligence Cluster25 todayMarch 8, 2022

For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with the threat actor known as UNC1151 (aka GhostWriter), an adversary believed to be linked to the Belarusian government. In July 2020 Mandiant Threat Intelligence released a public report about an ongoing influence campaign named “GhostWriter“. The campaign was addressed to audiences in Lithuania, Latvia and Poland making use of critical messages against the NATO’s presence in Eastern Europe.

In addition to this type of operations, UNC1151 seems to be further active also in the compromise of objectives of strategic importance. On March 4, 2022, Cluster25 collected a malicious document designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.

INSIGHTS

The document is a Microsoft Compressed HTML Help (CHM) file named dovidka.chm. After extracting the file, it shows the following structure: 

dividka.chm contains a file named file.htm that in its turn contains obfuscated vbscript (VBS) code as reported following:

 

The script checks for the presence of the file

C:\Users\Public\Favorites\desktop.ini

then it writes a second VBS script under the path

C:\Users\Public\ignit.vbs

After that, it runs the latter script, deletes it and finally runs the command

wscript.exe //B //E:vbs C:UsersPublicFavoritesdesktop.ini

The script ignit.vbs decodes and writes the following files:

  • C:\Users\Public\Libraries\core.dll
  • C:\Users\Public\Favorites\desktop.ini
  • C:\ProgramData\Microsoft\Windows Start Menu\Programs\Startup\Windows Prefetch.lnk

The desktop.ini file runs the following command, which executes the file core.dll with the Microsoft Assembly Registration Tool (Regasm.exe):

C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe  /U “C:Users\Public\Libraries\core.dll”

MICROLOADER

The file core.dll is a DLL file in .NET code compiled on Monday January 31st 2022 at 15:00:46 UTC. Code obfuscation and anti-tampering techniques have been used to hinder the analysis. The kind of anti-tampering techniques  used shows similarities with the use of the open-source code-protector tool for .NET named ConfuserEx. This is because several methods appear as empty and decompilation exceptions are present when the file is open in tools such as dnSpy, as reported in the image below:


We thought to make the code a little more readable by setting a breakpoint after the anti-tamper method (first method in the constructor) and by replacing the method with NOPs to finally save and reopen the module in dnSpy. This is necessary since the method is responsible for changing the RVA values of the methods. After this is executed, the values are correct, so it is possible to dump the new version of the DLL, but it is also necessary to avoid the anti-tamper method to be called in the next execution, otherwise it would change the values again. 

This code is basically a payload aimed at unpacking and executing a payload

MICROBACKDOOR

The piece of code in the new thread it’s basically meant to perform a connection to the domain xbeta[.]online attested on IP address 185.175.158[.]27.