Cyber Incident Victim: Armed Forces of Ukraine
Date:
Apr 2019
Location:
Ukraine
Summary
A cyber espionage campaign targeted Ukrainian military personnel using a malicious executable disguised as a legitimate document related to the Armed Forces of Ukraine. The attack employed a self-extracting archive delivering a decoy document while deploying malware that evaded detection by checking for security tools, established persistence via startup entries, and harvested system information. The malware leveraged the wget utility to exfiltrate data to command-and-control servers and scheduled additional payload downloads, consistent with known tactics of the Gamaredon APT group, a Russian-aligned threat actor with a history of targeting Eastern European entities. Infrastructure analysis revealed ongoing operational activity supporting the campaign's objectives.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2019, cybersecurity researchers identified a campaign targeting Ukrainian military personnel using a malicious executable masquerading as a legitimate RTF document titled "State of the Armed Forces of Ukraine" dated April 2, 2019. The attack leveraged a self-extracting archive (SFX) file falsely attributed to Oracle software with an invalid signature and an expiration date set to March 16, 2019. Upon execution, the SFX deployed four files, including a batch script that first checked for security analysis tools like Wireshark and Process Explorer using tasklist.exe. The script then renamed a file to "Document.docx" as a decoy document for the victim while extracting a password-protected archive ("26710") using the hard-coded password "dcthfdyjdfcdst,tv". This archive placed "winsetup.exe" in the user profile directory and established persistence via a LNK symlink in the Windows Startup folder.
The core malicious payload involved a UPX-packed version of the wget utility ("MicrosoftCreate.exe") and a script ("30347.cmd") implementing the Pteranodon implant. The malware collected system information via systeminfo.exe, stored it in a file named "fnQWAZC", and exfiltrated it to the command-and-control server "librework.ddns.net" using wget. Additional scheduled tasks attempted to download "setup.exe" from "bitwork.ddns.net" and placed another wget copy ("ie_cash.exe") in the "%APPDATA%\Roaming\Microsoft\IE\" directory. The implant executed these downloaded files every 32 minutes, consistent with historical Gamaredon tradecraft. Analysis of the C2 infrastructure revealed multiple samples connecting to "librework.ddns.net" in early April 2019, indicating ongoing operations. The Pteranodon implant showed no significant code changes from earlier variants used by Gamaredon since 2013, demonstrating the group's continued reliance on this toolset. The campaign exemplified sustained Russian-aligned cyber espionage targeting Ukrainian defense entities, aligning with broader state-sponsored activities in Eastern Europe during this period.