Cyber Incident Victim: State Border Committee of the Republic of Belarus
Date:
Jun 2017
Location:
Belarus
Summary
A spear-phishing campaign targeted Belarusian government entities using malicious emails disguised as communications related to joint military exercises. Attackers distributed new variants of the CMSTAR downloader through attachments like RTF documents, Word files, and a RAR archive containing a decoy exercise-related document and disguised executables. The malware deployed BYEBY and PYLOT backdoors, enabling remote command execution, encrypted communication with command-and-control servers, and persistence via registry modifications. Campaign themes exploited military exercise preparations to increase credibility, while obfuscation techniques and process targeting (svcHost.exe, rundll32.exe) were employed to evade detection. The operation aimed to compromise systems across multiple government departments through tailored social engineering and evolving malware payloads.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between June and August 2017, unidentified threat actors conducted a phishing campaign targeting multiple Belarusian government entities, including military and foreign affairs departments. The attackers sent 20 unique emails to 11 specific government email addresses, such as [email protected] and [email protected], using subject lines referencing the upcoming Zapad-2017 joint military exercises between Belarus and Russia. These emails contained malicious attachments disguised as routine documents, including RTF files, Microsoft Word documents, and a RAR archive. The RAR file contained images, a decoy document discussing preparations for the military exercises, and a malicious .scr executable file masquerading as a Windows folder icon. When opened, these attachments delivered three variants of the CMSTAR downloader malware (designated CMSTAR.A, CMSTAR.B, and CMSTAR.C), which featured updated string obfuscation techniques compared to earlier versions observed in 2015 and 2016 campaigns.
The CMSTAR variants subsequently downloaded two previously undocumented backdoor payloads named BYEBY and PYLOT. Both backdoors enabled remote command execution and established persistent access to compromised systems. PYLOT communicated with the command-and-control domain oeiowidfla22.com using encrypted traffic, while BYEBY employed TLS encryption and injected itself into svcHost.exe or rundll32.exe processes. Attackers used XOR encryption for payload obfuscation and registry modifications for persistence. Palo Alto Networks' WildFire cloud-based analysis platform detected and analyzed the malware, with protections implemented through AutoFocus threat intelligence tags, malicious domain blocking, and specific configurations to block exploitation techniques including CVE-2015-1641 and malicious macro execution. The decoy documents replicated authentic military exercise communications to increase credibility, though the analysis did not specify data exfiltration or operational disruption outcomes from successful infections.