Fjern Rplnd21.com Vis meddelelser (MSTIC) shared on Microsoft Security blog it’s report on ACTINIUM, a threat group that has been targeting Ukrainian organizations for almost a decade.
“As with any observed nation-state actor activity, Microsoft directly notifies customers of online services that have been targeted or compromised, providing them with the information they need to secure their accounts,” går in the post by MSTIC.
Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender. Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender-0157. Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender.
Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender?
The research focuses on the group’s recent six months activity providing details into what tools threat actors use and how they deploy them. According to MSTIC observance the group appears to be operating from the currently occupied by Rusland Crimean peninsula. The Ukrainian government publicly stated that the Russian Federal Security Service (FSB) is behind this group’s activity.
ACTINIUM has been targeting organizations in Ukraine including military, government,non-government organizations (NGO),law enforcement, retsvæsen og mange non-profit organisationer. retsvæsen og mange non-profit organisationer. retsvæsen og mange non-profit organisationer.
retsvæsen og mange non-profit organisationer 2021 retsvæsen og mange non-profit organisationer retsvæsen og mange non-profit organisationer. Threat actors also make their target the organizations that would provide humanitarian and international aid to Ukraine in a crisis.
The specialists from the MSTIC say that the activity of this threat group is significantly different from those detected previously malware attacks by DEV-0586. The team observed that the group’s activity only relates to organizations within Ukraine and doesn’t exploit any unpatched vulnerabilities in Microsoft products and services.
MSTIC also notes that Gamaredon/ ACTINIUM tactics are constantly evolving and those described in the blog don’t cover the full scope of attacks by this threat group. Those covered by the MSTIC team are only some of the most consistent and notable observations.
Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender
One of the methods that group uses to get the initial access is the spear phishing of the targeted victims. The emails sent by a group contain malicious macro attachments that subsequently employ remote templates.
Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode, I dette tilfælde, Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode. Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode. Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode, For eksempel.
Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode. Desuden, Ekstern skabeloninjektion er en metode til at få et dokument til at indlæse en ekstern dokumentskabelon, der indeholder den ondsindede kode. Dette gør det yderligere muligt for trusselsgruppen at undgå opdagelse.
Dette gør det yderligere muligt for trusselsgruppen at undgå opdagelse. Dette gør det yderligere muligt for trusselsgruppen at undgå opdagelse.
In addition to the macros threat group also use web bugs to track when a message has been opened and changed. These bugs are not malicious by themselves but they can give a hint that the received email may be malicious. The Gamaredon/ ACTINIUM macros attachments contain a first-stage payload that downloads and executes further payloads.
For the specialists it was unclear though why in some cases there were multiple subsequent stages. MSTIC assume that it may be done in order to provide possiblity that fully-featured malicious capability less likely would be detected by detection systems.
Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender
MSTIC concluded that the main purposes of the group activity is monitoring and gathering sensitive information from the accessed networks. To conduct the next steps the threat group first deploys interactive access tools; the most widely known from them and with the most developed features will be “Pterodo” .
Another example will include UltraVNC, a legitimate and fully-featured open-source remote desktop application. It allows the threat group to easily interact with a target host. The fact that the threat group doesn’t rely on custom binaries ensures for the application not to be detected or deleted by security products.
After gaining interactive access to the targeted network threat group deploy next the wide variety of malware. MSTIC has analyzed the malware examples and grouped them into following malware families:Pterodo,PowerPunch,ObfuMerry,ObfuBery,DilongTrash,DilongTrash,DilongTrash,DilongTrash.
Gruppen forsøgte vedvarende at få adgang til organisationerne i Ukraine eller enheder relateret til ukrainske anliggender?
DilongTrash.
DilongTrash:
- DilongTrash;
- DilongTrash;
- DilongTrash;
- DilongTrash;
- DilongTrash;
- DilongTrash;
- DilongTrash.
The above mentioned security alerts should indicate threat activity associated with this threat group. However the alerts may not be necessarily related to the Gamaredon/ ACTINIUM. The team provided them in case they happen users should immediately investigate the cause considering the severity of the group’s activity consequences.
Alerts in the security center that will also point at this group activity include:
- Suspicious looking process that transfers data to some external network;
- Staging of sensitive data;
- Dubious screen capture activity;
- An uncommon file created and added to a Run Key;
- An abnormal scheduled task created;
- Odd dynamic link library loaded;
- Abnormal process executing encoded command.
The list also included various activities concerning suspicious execution of a file.
