Cyber Incident Victim: Inter Channel
Date:
Mar 2022
Location:
Ukraine
Summary
A cyberespionage group known as UAC-0056 targeted a Ukrainian private TV channel through spear-phishing emails containing macro-embedded Excel documents, deploying a multi-stage malware chain. The attack utilized Elephant Dropper with a stolen Microsoft certificate to download subsequent payloads, including Elephant Downloader for persistence, Elephant Implant (GrimPlant) for encrypted C2 communication via gRPC, and Elephant Client (GraphSteel) to steal credentials from browsers, Wi-Fi, mail clients, and other services. The campaign exfiltrated system information and sensitive authentication data, consistent with the threat actor's history of disruptive attacks against Ukrainian entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The cyberespionage group UAC-0056, also tracked as SaintBear, UNC2589, and TA471, conducted a spear-phishing campaign targeting Ukrainian entities between March 23 and March 28, 2022. The attack focused on organizations including ICTV, a private television channel, using emails with the subject "wage arrears" that contained malicious Excel attachments. These documents employed embedded macros to deploy the first-stage payload "base-update.exe" from a hidden worksheet named "SheetForAttachedFile," leveraging publicly available code to extract and write the file to the victim’s AppDataLocalTemp directory. The initial payload, Elephant Dropper, was written in Go and signed with a stolen Microsoft certificate, creating a directory under "C:Users{user}.java-sdk" before downloading additional components. This dropper fetched a Base64-encoded binary from a command-and-control server, saving it as "java-sdk.exe" to execute the next stage.
The subsequent Elephant Downloader established persistence via registry auto-run keys and retrieved two additional payloads: oracle-java.exe (Elephant Implant) and microsoft-cortana.exe (Elephant Client). The implant, identified as the GrimPlant backdoor, used gRPC with embedded TLS certificates to communicate with C2 servers on port 80, collecting system data including hostname, OS details, CPU count, and user information via functions like GetOSInfo and GetUserInfo. The final payload, GraphSteel (Elephant Client), exfiltrated Base64-encoded victim data after decrypting C2 IP addresses via AES-ECB and systematically harvested credentials from browsers, Wi-Fi networks, credential managers, email accounts, Putty sessions, and Filezilla configurations. This campaign followed earlier UAC-0056 activities, including January 2022 wiper attacks against Ukrainian government systems and March 2022 deployments of GrimPlant, GraphSteel, and Cobalt Strike Beacon against state organizations. The group’s infrastructure reused techniques from prior operations, such as fake translation software lures and the WhisperGate disruptive attack, demonstrating sustained focus on Ukrainian targets.