Authors:
Klimenty Galkin, Junior Specialist, Threat Intelligence Department, PT Expert Security Center
Alexander Badayev, Specialist, Threat Intelligence Department, PT Expert Security Center
Detected attacks
First files discovered
At the end of June 2024, during the process of researching threats, we discovered an archive called Копия трудовой.docx.rar (Russian for "Work record book copy"). Presumably, the archive was distributed as an attachment in emails to various companies in Russia. The archive was protected with a password, which could presumably be found in the body of the email.
We gained access to a file located in this archive — Копия трудовой.docx.exe SHA-256:
60414E88A21DF60B0CACCDF498B41AA7C75C10D880AB61A620F5B13BA2FAEBD1
The file Копия трудовой.docx.rar uploaded several files to the system, including an executable file with the provocative name putin_***.exe, as well as a decoy document with photographs of the passport of a citizen of the Republic of Belarus.
When run, the file with the provocative name launched powershell scripts that, during operation, received images with the malware loader and the payload of the last stage from the BitBucket repositories.
- https://bitbucket.org/hgdfhdfgd/test/downloads/new_image.jpg?14441723
- https://bitbucket.org/fasf24124/fdgfytrj/downloads/roAScpm.txt
In the case of the first BitBucket, which contained images with steganography, the repository contained the following files:
The person who committed the code to the repository was a certain Nano. This repository is currently inactive, meaning that there is no way to find out this user's email.
The images depicted the Atacama Desert in Chile.
The second repository, which acted as storage for the final load, is still functioning. According to the metadata, it was originally created on March 4, 2024 by a certain user with the nickname siniy34240.
At the time of the analysis, this BitBucket contained 46 files with different names, although some of them were identical in content.
This BitBucket was subsequently mentioned by researchers at the OffZone conference.
This chain used Bulgarian C2, which is linked to other similar attacks and files such as:
- ru***
- ***pen**
- vvp_***
These files were also talked about at the aforementioned conference.
Later on, in September 2024, several more documents were discovered that worked in a similar way:
- Заявление об актуализации персональных данных.rar (f0d402ffd0b57202feadee1a0b831a27a4b8135933cddb3d99232fbb20d3e138) (Russian for “Request to update personal data”)
- ФГУП «*******» (1ff8d5c5cb7e1949e55b602aad6d7253216a4ac55727703557410d2c47d561b8.bin) (draft supplementary agreement from a Federal State Unitary Enterprise [Russian abbreviation FGUP/ФГУП] with variable name—see example in fig. 7 below)
- Проект распоряжения правительства Курской области.pdf.zip (Russian for “Draft order of the local government of Kursk oblast”)
- Договор.pdf.rar (Russian for “Contract”)
- etc.
General description of the attacks
A diagram of the attack chain is presented below. The yellow boxes contain additional information, descriptions of obfuscation techniques, links used, and other indicators of compromise. The main attack vector path is shown in red, with an alternative path shown in blue.
The victim receives an email containing an archive with a password. The archive contains an executable file and a stub document. The password for the archive can be found in the text of the email. Usually, it's a short password consisting only of digits. As soon as the user opens the archive and runs the executable file, the stub opens.
The executable file then downloads a malicious obfuscated .vbs or .bat script into the system. In general, the obfuscation algorithm is as follows (commands from a .bat file are taken as an example):
- The entire script is divided into blocks of SET and GOTO commands.
- Each of these blocks is labeled with unreadable symbols.
- Each of these blocks stores a piece of a powershell script and goes on to set a variable with another part of the script.
- The final tag concatenates all the generated blocks
As a result, string concatenation occurs as follows:
Where final_ps_payload is the final obfuscation tag, ps_payload_N is a part of the powershell script, and N is the number of parts of the powershell script. The names of the tag and variables have been changed for ease of understanding.
The powershell script is then launched, which looks something like this:
As can be seen in the script, the # symbol is replaced with another one in order to obtain the correct Base64 string. As it subsequently turned out, there may be more than one symbol: It is possible to replace a block of several symbols, even in Unicode encoding.
The decoding results in another powershell script that looks like this:
Let's take a look at the script's operating algorithm:
- There is a function called "DownloadDataFromLinks", which goes through an array of links and tries to download a file with a .jpg extension.
- If any of the links are active and have returned an image, the bytes of the image are written to a variable called $imageBytes.
- The file contains two tags, between which the script receives the payload in Base64.
- The payload is decoded.
- The payload is the Ande Loader, which is prepared for launch via the method [System.Reflection.Assembly]::Load.
- The payload is downloaded from C2 and injected into the legitimate process RegAsm using the la method from the downloaded payload.
Having studied the source code of the loader that is injected into the process, we can say that the main purpose of the la method is to call the Ande method, which will in its turn embed the malware through a legitimate process. Another function of the method is to embed the parent script to run on startup or to remain in the system for a certain period of time. The method itself takes five parameters:
- adress: A string with an inverted link to download the payload;
- enablestartup: A string that stores a digit from the set {0,1,2}. The value of this parameter determines whether or not the malware will be embedded to run on startup and how it will be implemented if so;
- startupname: A string with the name of the executable file embedded to run on startup in the event that enablestartup = True;
- injection:: The name of the process into which the malware code is to be embedded;
- persistence:: A string parameter that acts as a Boolean value. If persistence = "1″ and enablestartup = "0″, a .bat script is created that, in a cycle of 1000 iterations once per minute, checks for the presence of the injection process among the active processes. If this is not the case, it launches the <startupname >.vbs file, which should then start the entire chain again.
The code for the la method can be seen in the screenshots below.
The most important things among the parameters—and, in general, the script as a whole—are the links to download the payload. During the investigation of the set of files described above, no other file storage locations were found other than the BitBucket and GitHub repositories. At the time of writing this article, the repository containing the latest payload from the examined attack was no longer available, but there are many other repositories online that contain the encoded payloads. Inside the text files is an inverted Base64 string of bytes from the executable file.
The final payload in the attack chain under examination is a remote access trojan called DarkTrack RAT, which, according to experts, was used by the group in attacks from 2023 and 2024. The majority of recent attacks have been using the same attacker server: 45.143.166[.]100:52336.
In addition to DarkTrack RAT, the repositories contain malware families such as AsyncRAT, Redline, Remcos, njRAT, XWorm, and more. This set of Trojans and stealers is used by several groups, including TA558, Blind Eagle, and others. Moreover, it's interesting to note that some samples have been downloaded over 46,000 times. This number of downloads indicates a mass use of files that is not typical for traditional APTs, but rather for malware distribution services.
Crypters used: Crypter-As-A-Service
When searching for similar elements in powershell scripts, as well as .bat and .vbs files, we identified several obfuscation features:
- Obfuscation through the use of SET, GOTO (.bat files) or Call (.vbs) functions.
- The presence of the $codigo variable in the powershell script obtained after deobfuscation. It's worth noting that "codigo" is the Portuguese and Spanish translation of the word "code".
- The $codigo variable contains a string with a Base64-encoded powershell script, and, in order for it to be correct, it is necessary to replace one character or sequence of characters with another.
- The final powershell script downloads the payload, which is a malware loader. In this case, the loader itself is downloaded as a text file, inside of which is a Base64-encoded executable file.
By identifying the features of the scripts, it was possible to find shared aspects with the attacks of the group TA558, as we described in April 2024, as well as with the attacks of Blind Eagle, as described by eSentire in February 2024. The most interesting thing is that the second report talks about the use of crypters and obfuscators that are distributed on shadow forums, in conjunction with the Ande Loader. Having compared this with the attacks of the PhaseShifters group, we came to the same conclusion.
However, the question remains open about the obfuscators and crypters used, and why PhaseShifters decided to use these ones in particular. Specialists from eSentire have already conducted an analysis of several crypters that were used by the BlindEagle group: VBS-Crypter, VBS-Crypter Simples, UpCry (UpCrypter), F*ckCrypter.
From the analysis of the tools, several features can be identified:
- The use of the $codigo variable, which also contains an encoded powershell script.
- Working with text files that contain a loader in C#.
- The retrieval of the method from the loader, as well as how it is passed to the payload as an inverted reference argument.
In addition, in some lines of the crypter, you can find the nicknames of the authors who created these utilities:
- NoDetectOn
- Pjoao1578
- MR_AHMED
- Roda
We also discovered a BitBucket repository with commits from a user nicknamed Roda that contained encoded loaders from which methods are called, as was the case in our analysis above. The interesting thing about this BitBucket is the number of downloads: Namely, at the time of our investigation, the number of downloads totaled almost a million.
The obfuscation techniques and generated powershell scripts work in the same way as in the attack we described, with one exception: There is no interaction with the BitBucket or GitHub services to obtain the image. However, the versions of the crypters are quite old, and therefore everything could have changed, including the type of the generated script.
After further research, we discovered a GitHub repository with the name NoDetectOn, which contained images selling subscriptions to obfuscators and crypters.
Searching the text of one of the images takes us to a site selling these obfuscators, which offers a subscription to obfuscators for VBS and BAT files at two rates: Public and private. The prices start from $100 per month for an obfuscator for just one file type.
This organization also has a GitHub repository that correlates with the name NoDetectOn.
The ZIP repository consists of several files containing an inverted Base64 string, as well as an image with the title new_image. The contents of the files are as follows:
The image that is currently in the repository (or rather, what is depicted in it) has already been encountered by us in attacks by the TA558 group, only the image was located at a different link.
Therefore, in this investigation, we made the assumption that TA558, Blind Eagle, and now PhaseShifters as well are using a subscription service for obfuscators and crypters. This is due to the use of the same obfuscation structure, the same variable inside the powershell script, a similar form of storing the payload (text files or images with Base64 in them), and the use of the same repositories with the payload (discussed in more detail below).
Moreover, the CaaS (Crypter-as-a-Service) that we discovered is most likely an association of all the developers whose nicknames are listed above.
However, besides this, we found another group that used the same techniques, the same crypter. We assume that PhaseShifters has been copying the techniques of another group.
It's not just the BitBucket that's the same: Similarities with UAC-0050
Some details about UAC-0050
UAC-0050 (UAC-0096) is a hacker group that has been attacking government organizations in Ukraine since 2020–2021, though it has also attacked companies in Poland, Belarus, Moldova, and the Baltic countries as well as companies in Russia. The group's attacks most often use phishing emails in combination with the well-known malware Remcos RAT, Quasar RAT, Meduza Stealer, and Remote Utilities. However, judging by the attacks carried out, their arsenal isn't limited to these tools alone.
In 2023, the group used Remote Utilities in attacks on Polish and Ukrainian organizations; in January 2024, they began to disguise Remote Utilities as the legitimate application CCleaner. In the last attack mentioned, the group used BitBucket. In March 2024, the expert BushidoToken discussed the connection between UAC-0050 and the DaVinci Group.
Indirect similarities. Techniques used
Previously, we mentioned a number of attacks carried out by the group. These used the following:
- A phishing email with important content (court documents, scanned documents, copies with a bank mark, an evacuation plan, etc.) with an attachment OR containing a link to download a file.
- The attachments take the form of a decoy document AND/OR an archive that is password-protected.
- The password is specified in the body of the email or in the name of a text file inside the archive, and consists of N digits.
- The archive contains a malicious executable file from the previously listed malware.
Looking at this set of facts, it's possible to draw a parallel between the PhaseShifters and UAC-0050 groups. The most similar aspects are seen in attacks by PhaseShifters on companies in Belarus with malware that is disguised as an installer for the CCleaner utility and is an SFX archive with obfuscated AutoIt scripts.
AutoIt scripts were used by both groups for about six months, then both groups stopped using them around the same time. An interesting note about these scripts was that only three groups were observed to use the AutoIt loader, namely: PhaseShifters, UAC-0050, and the pro-Palestinian group Handala, leading researchers from Intezer to name this loader the Handala loader.
Just like UAC-0050, PhaseShifters has attacked Polish organizations. The PhaseShifters group, as confirmed by specialists from the company FACCT, did this in February 2024, whereas the UAC-0050 group was attacking Poland in November and December 2023. Based on the similarity of the techniques used during phishing, as well as the disguising of the malware, we can assume that there is a connection between these two groups. It is not yet possible to say whether they are one and the same: More precise facts are needed to determine this.
Precise similarities in current attacks
It turns out that the attack chain under examination, which uses subscription-based crypters and obfuscators, is used not only by PhaseShifters, but also by UAC-0050. Moreover, there's very little time difference between the two groups using this kind of attack chain: PhaseShifters began using a similar chain in June and July 2024, while UAC-0050 also started using it in July 2024. Furthermore, both groups continue to use this attack pattern at present.
Let's look at the relationship diagram that we were able to create based on the detected attacks (Figure 31). In this diagram, white has been used to highlight the UAC-0050 group's use of some of the repositories from the general list, while yellow represents similar links that only pertain to the PhaseShifters group. The analysis of the attack chain is shown in green, with additional information in purple.
As can be seen in the diagram, some repositories are used by both groups. Even if the interrelation with the image can be explained by the purchase of the same crypter, as mentioned previously, the use of the same payload repository is more difficult to explain. The fact of the matter is that the latest repository containing the malware is specified by the user in obfuscators as a link to the payload. It turns out that both groups specified these links manually.
The report on OffZone also cites an example of the last BitBucket used for the final payload as an argument in favor of the location of the attackers. As it turns out, bitbucket.org/fasf24124 hosted both DarkTrack used by the PhaseShifters group and Amethyst used by the Sapphire Werewolf group.
Now let's take a look at the attacks by the PhaseShifters and UAC-0050 groups that also use the same repository.
On the part of the UAC-0050 group, the repository was used in the attack chain file Копія з позначкою банку.vbs (Ukrainian for "Copy with bank mark.vbs") by loading the file https://bitbucket.org/sdgw/sdge/downloads/meduza.txt as a payload, which becomes Meduza Stealer when decoded using Base64.
The PhaseShifters group used this repository in an attack chain with the file Проект распоряжения правительства Курской области.pdf.zip (Russian for "Draft order of the government of Kursk oblast.pdf.zip") The payload was downloaded from the link https://bitbucket.org/sdgw/sdge/downloads/mbFgnhd.txt, which turned out to be DarkTrack RAT, typical malware for them.
Thus, the same repository contained Meduza Stealer, the use of which is prohibited by the rules of the shadow forum for attacks on Russian organizations and Russian users in general, and DarkTrack RAT, which was detected in attacks on the Russian Federation. A news story mentioning these repositories was then released on October 15, 2024. This has resulted in a rather strange situation.
There is a possibility that the newest version of the crypter provides attackers with a subscription interface that allows them to download malware, and the repositories themselves belong to the creators of the crypters. If this is the case, the malware being located in the same repository must be an accident or a coincidence.
It was also interesting to understand what kind of image was located in the repositories during the attack (or was in them at any other point). However, since the https://bitbucket.org/shieldadas/gsdghjj/ repository has now been removed, the information can be found either on sandbox launches or elsewhere, Telegram for example. As it turns out, the messenger has automatic functionality for creating a preview of a file or page accessible via a link. What's more, each of these previews is most likely saved on the messenger servers, meaning that each time the user accesses the link, the preview is first checked on the servers and, if it exists, it is then given to the user. This is how we managed to see the image that was in the repository at some point via the link.
Other similarities in indicators
At the beginning of January 2024, as mentioned previously, hacker attacks were carried out on Ukrainian organizations with email subjects such as "Запит судових документів". (Ukrainian for "Request for court documents"). This attack has been attributed to the UAC-0050 group. Among the indicators of compromise, one domain was involved: rmssrv[.]ru. This domain is interesting because it was also found in phishing emails from October 2021, though these were targeted at Russian organizations at that time. According to the National Coordinating Center for Computer Incidents (NCCCI), these emails were sent on behalf of the Federal Tax Service of Russia and contained a malicious attachment (password-protected archive).
Moreover, in that same year of 2021, this domain was used in emails targeted at Ukrainian government organizations. The emails were allegedly from the Patrol Police Department of Kyiv.
It's interesting to note that, in its report, the NCCCI has attached an example of the attack and a screenshot of the malicious archive. The archive contained a password, as well as the executable file itself and additional .rar archives marked as "part1" and "part2".
UAC-0050 uses the same naming technique; we haven't seen anything like it from other groups thus far.
We have seen many similar divisions of the archive into parts from the group. For example, in the attack on Moldova.
In both the examples given, the UAC-0050 group used the Handala loader in the attacks with AutoIt scripts, the similarities of which we previously discussed.
Conclusion on the relationship
We can establish that the PhaseShifters group is copying the techniques of UAC-0050, and we have already observed a tendency that the copying begins after a small interval of a few weeks.
The copying is practically identical, to the extent that we are more inclined to believe that PhaseShifters and UAC-0050 may actually be one group in the capacity of a third party that is attacking both countries.