Cyber Incident Victim: Ministry of Defense of the Republic of Belarus
Date:
Jun 2017
Location:
Belarus
Summary
A phishing campaign targeted Belarusian government entities, including the Defence Ministry, using emails themed around joint military exercises to deliver malicious attachments disguised as documents and executables. The attacks deployed updated variants of the CMSTAR downloader, which installed BYEBY and PYLOT backdoors enabling remote command execution, encrypted communication with command-and-control infrastructure, and persistence mechanisms. The malware leveraged decoy content mimicking official exercise preparations and employed obfuscation techniques like XOR encryption and registry modifications to evade detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 5 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Between June and August 2017, a phishing campaign targeted multiple Belarusian government entities, including the Ministry of Defence, Ministry of Foreign Affairs, and other state agencies. Attackers sent 20 unique emails to addresses such as [email protected], [email protected], and [email protected], leveraging themes related to the upcoming Zapad-2017 joint military exercises between Belarus and Russia. Emails contained malicious attachments disguised as routine communications, including RTF documents, Microsoft Word files, and a RAR archive. The RAR file contained images, a decoy document detailing preparations for the military exercises, and a malicious .scr executable file masquerading as a Windows folder. Three variants of the CMSTAR Downloader malware (CMSTAR.A, CMSTAR.B, CMSTAR.C) were deployed with updated string obfuscation techniques to evade detection. These downloaders retrieved additional payloads identified as BYEBY and PYLOT backdoors, which provided attackers with remote access to compromised systems.
The BYEBY and PYLOT backdoors enabled command execution and established persistence through TLS-encrypted communications with command-and-control infrastructure. PYLOT specifically communicated with the domain oeiowidfla22.com, while BYEBY targeted svcHost.exe and rundll32.exe processes for injection. Attackers used XOR encryption and registry modifications to maintain access to infected systems. Palo Alto Networks' Unit 42 identified the campaign through WildFire malware analysis and AutoFocus threat intelligence, confirming exploitation techniques including CVE-2015-1641 vulnerabilities and malicious macro execution in documents. Protective measures were implemented via domain blocking, macro exploit prevention, and signature-based detection for all CMSTAR variants and associated payloads. The decoy documents mimicked legitimate military exercise planning materials to increase the likelihood of successful infection among targeted government personnel.