Cyber Incident Victim: Ministry of Foreign Affairs
Date:
Jun 2017
Location:
Belarus
Summary
A phishing campaign targeted a Belarusian government entity, delivering malicious attachments disguised as documents related to joint military exercises. The emails contained updated CMSTAR Trojan variants that deployed BYEBY and PYLOT backdoors, enabling remote command execution and encrypted communication with attacker-controlled servers. The malware utilized obfuscation techniques, registry modifications for persistence, and leveraged decoy content mimicking official communications to compromise systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 9 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between June and August 2017, threat actors conducted a phishing campaign targeting Belarusian government entities, including the International Security and Arms Control Department of the Ministry of Foreign Affairs ([email protected]). Attackers sent 20 unique emails with subject lines referencing the upcoming Zapad-2017 joint military exercises between Russia and Belarus. These emails contained malicious attachments disguised as routine documents, including RTF files, Microsoft Word documents, and a RAR archive. The RAR file contained decoy materials about military exercise preparations alongside a malicious .scr executable masquerading as a Windows folder. Three variants of the CMSTAR downloader malware (CMSTAR.A, CMSTAR.B, CMSTAR.C) were deployed with updated string obfuscation techniques to evade detection. These downloaders retrieved two previously unseen backdoor payloads—BYEBY and PYLOT—which enabled remote command execution and data exfiltration. PYLOT communicated with the command-and-control domain oeiowidfla22.com using encrypted channels, while BYEBY employed TLS encryption and injected code into legitimate processes like svcHost.exe or rundll32.exe. The malware utilized XOR encryption for payload concealment and modified registry keys to establish persistence on compromised systems.
The campaign exploited the topical relevance of military exercises to increase the likelihood of successful infections. Decoy documents mimicked authentic government communications about Zapad-2017 preparations to deceive recipients into enabling malicious macros or executing files. Palo Alto Networks' Unit 42 identified the activity through WildFire malware analysis and AutoFocus threat intelligence, confirming the use of known exploits (CVE-2015-1641) and malicious document macros in the attacks. Protective measures implemented by Palo Alto included domain blocking for identified C2 infrastructure, signature-based detection for malware variants, and macro execution prevention in documents. The backdoors' capabilities allowed attackers to execute arbitrary commands, maintain persistent access, and potentially exfiltrate sensitive information from targeted government systems. No specific remediation actions by the Belarusian government were detailed in the reporting, though the malicious infrastructure and tactics were documented for defensive purposes.