- Introduction
- Vulnerabilities Exploited
- Malware's Used
- Cyber Groups
- MITRE ATT&CK Techniques Used By Threat Actors
- IOCs
- C2C Server Relations
- Reports & Credits
- Contribution
This repository is aimed at curating and tracking threat intelligence published in a single location, enabling defenders to proactively hunt for threats within their environment. Live updates for the same can be seen on Cyware's own live page.
Below mentioned are the vulnerabilities seen to have been exploited during the crisis
CVE-2021-32648 - https://nvd.nist.gov/vuln/detail/CVE-2021-32648
CVE-2021-44228 - https://nvd.nist.gov/vuln/detail/CVE-2021-44228
Below mentioned are the malwares used to attack systems, devices and websites across cyber attacks
TM Feed Hermetic (Wiper)
BlackEnergy (Sandworm Tool 2015)
Industroyer (Sandworm Tool 2016)
NotPetya (Sandworm Tool 2017)
WhisperGate (Wiper)
HermeticWiper / Killdisk.NCV (Wiper)
Cyclops Blink (Sandworm Tool)
VPNFilter (Replaced by Cyclops Blink)
Katana (DDoS Botnet)
Below mentioned are few of the prominent cyber groups across the Russia <> Ukraine conflict
UNC1151
Gamaredon Group
Anonymous
GhostSec
IT Army of Ukraine
KelvinSecurity Hacking Team
BlackHawk
Raidforums Admin
Netsec
Below mentioned are some of the MITRE ATT&CK Techniques observed by threat actors involved
| [Domain] | [ID] | Name | Use |
|---|---|---|---|
| T1071 | 0.001 | Application Layer Protocol: Web Protocols | AGamaredon Group file stealer can communicate over HTTP for C2. |
| T1119 | Automated Collection | Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents | |
| T1020 | Automated Exfiltration | Gamaredon Group has used modules that automatically upload gathered documents to the C2 server | |
| T1547 | 0.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence. |
| T1059 | 0.003 | Command and Scripting Interpreter: Windows Command Shell | Gamaredon Group has used various batch scripts to establish C2 and download additional files.Gamaredon Group's backdoor malware has also been written to a batch file |
| 0.005 | Command and Scripting Interpreter: Visual Basic | Gamaredon Group has embedded malicious macros in document templates, which executed VBScript.Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros. | |
| T1005 | Data from Local System | Gamaredon Group has collected files from infected systems and uploaded them to a C2 server | |
| T1039 | Data from Network Shared Drive | Gamaredon Group malware has collected Microsoft Office documents from mapped network drives. | |
| T1025 | Data from Removable Media | AGamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives. | |
| T1140 | Deobfuscate/Decode Files or Information | Gamaredon Group tools decrypted additional payloads from the C2.Gamaredon Group has also decoded base64-encoded source code of a downloader. | |
| T1041 | Exfiltration Over C2 Channel | AGamaredon Group file stealer can transfer collected files to a hardcoded C2 server. | |
| T1083 | File and Directory Discovery | Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros.Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system. | |
| T1562 | 0.001 | Impair Defenses: Disable or Modify Tools | Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings. |
| T1070 | 0.004 | Indicator Removal on Host: File Deletion | Gamaredon Group tools can delete files used during an infection. |
| T1105 | Ingress Tool Transfer | Tools used byGamaredon Group are capable of downloading and executing additional payloads | |
| T1559 | 0.001 | Inter-Process Communication: Component Object Model | Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object. |
| T1534 | Internal Spearphishing | Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization. | |
| T1112 | Modify Registry | Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM. | |
| T1106 | Native API | Gamaredon Group malware has used CreateProcess to launch additional malicious components. | |
| T1027 | Obfuscated Files or Information | Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts. | |
| 0.001 | Binary Padding | Gamaredon Group has obfuscated .NET executables by inserting junk code. | |
| 0.004 | Compile After Delivery | Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class. | |
| T1137 | Office Application Startup | Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened.Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received | |
| T1120 | Peripheral Device Discovery | Gamaredon Group has delivered spearphishing emails with malicious attachments to targets. | |
| T1566 | 0.001 | Phishing: Spearphishing Attachment | Gamaredon Group has delivered spearphishing emails with malicious attachments to targets. |
| T1053 | 0.005 | Scheduled Task/Job: Scheduled Task | Gamaredon Group has created a scheduled task to launch an executable every 10 minutes. |
| T1113 | Screen Capture | Gamaredon Group's malware can take screenshots of the compromised computer every minute. | |
| T1218 | 0.011 | Signed Binary Proxy Execution: Rundll32 | Gamaredon Group malware has used rundll32 to launch additional malicious components. |
| T1082 | System Information Discovery | AGamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server. | |
| T1033 | System Owner/User Discovery | System Owner/User Discovery | |
| T1080 | Taint Shared Content | Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives. | |
| T1221 | Template Injection | Gamaredon Group has used DOCX files to download malicious DOT document templates.Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems. | |
| T1204 | 0.002 | User Execution: Malicious File | Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded. |
| T1102 | Web Service | Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system |
Below mentioned are few of the indicators observed to be involved with exploits and campaigns in the Ukraine <> Russia Conflict
https://blog.talosintelligence.com/2022/02/threat-advisory-hermeticwiper.html
https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf
https://inquest.net/blog/2022/02/10/380-glowspark
https://attack.mitre.org/groups/G0047/
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/unc1151-ghostwriter-update-report.pdf
https://www.securityweek.com/ukraine-attacks-involved-exploitation-log4j-october-cms-vulnerabilities
https://attack.mitre.org/groups/G0047/
https://cyberknow.medium.com/2022-russia-ukraine-war-cyber-group-tracker-6e08ef31c533
We are always on the lookout for latest indicators, detection mechanisms and relations. If you note something we have missed or which you would like to add, please raise an issue or create a pull request!