Cyber Incident Victim: Minsk Operational Administration of the Armed Forces

Between June and August 2017, threat actors conducted a phishing campaign targeting Belarusian government entities, including the Ministry of Defence (mod.mil.by), Ministry of Foreign Affairs (mfa.gov.by), and other agencies. Attackers sent 20 unique emails with subject lines referencing the Zapad-2017 joint military exercises between Russia and Belarus scheduled for September 2017. The emails contained malicious attachments disguised as legitimate documents, including RTF files, Microsoft Word documents, and a RAR archive. This archive housed decoy materials about military exercise preparations alongside a malicious .scr executable masquerading as a Windows folder. Recipient addresses included [email protected], [email protected], and other government accounts, indicating a focus on military and diplomatic personnel.

The campaign deployed three variants of the CMSTAR Downloader malware (CMSTAR.A, CMSTAR.B, CMSTAR.C), which exhibited updated string obfuscation techniques compared to earlier 2015-2016 versions. These downloaders retrieved two novel backdoor payloads: BYEBY and PYLOT. PYLOT established encrypted communication with the command-and-control domain oeiowidfla22.com, while BYEBY utilized TLS encryption and injected code into svcHost.exe or rundll32.exe processes for stealth. Both backdoors enabled remote command execution, allowing attackers to control compromised systems. Palo Alto Networks Unit 42 identified the malware’s use of XOR encryption and registry modifications for persistence. Protective measures included WildFire malware analysis, AutoFocus threat intelligence tagging, domain blocking, and exploit mitigation for CVE-2015-1641 vulnerabilities leveraged in the attacks. The decoy documents mimicked official military communications, suggesting the attackers sought sensitive information related to defense operations during a period of heightened geopolitical activity.