Ethical Hacking News
Google has uncovered a sophisticated hybrid espionage and influence campaign targeting potential Ukrainian military recruits with malware and anti-mobilization narratives. The operation uses a Telegram persona named "Civil Defense" to deliver Windows and Android malware, including the commodity infostealer PURESTEALER and the commercially available Android backdoor CRAXSRAT.
Google's Threat Intelligence Group has uncovered a sophisticated hybrid espionage and influence campaign (UNC5812) targeting potential Ukrainian military recruits with malware and anti-mobilization narratives.The campaign uses social engineering tactics, malicious software, and a Telegram persona named "Civil Defense" to deliver Windows and Android malware.The malware includes commodity variants like SUNSPINNER and PURESTEALER, designed to steal browser data, cryptocurrency wallets, and other applications.Google is working with Ukraine's national authorities to disrupt the campaign and protect users from further exploitation.The operation highlights Russia's emphasis on cognitive effects via cyber capabilities and the prominent role of messaging apps in malware delivery.
Google's Threat Intelligence Group has uncovered a sophisticated hybrid espionage and influence campaign, dubbed UNC5812, that is targeting potential Ukrainian military recruits with malware and anti-mobilization narratives. The operation, which involves the use of a Telegram persona named "Civil Defense," delivers Windows and Android malware using a combination of social engineering tactics and malicious software.
The Civil Defense website, hosted at civildefense[.]com.ua, advertises several software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. These programs deliver an operating system-specific commodity malware variant alongside a decoy mapping application tracked as SUNSPINNER. SUNSPINNER is a graphical user interface (GUI) application written using the Flutter framework and compiled for both Windows and Android environments.
Upon execution, SUNSPINNER attempts to resolve a new "backend server" hostname from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json, followed by a request for map markers from https://fu-laravel.onrender[.]com/api/markers that are then rendered on the app's GUI. The displayed map does not appear to have any genuine user inputs, with all markers present in the JSON file pulled from SUNSPINNER's C2 infrastructure being added on the same day by the same user.
The Windows payload downloaded from the Civil Defense website, CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39), is a custom build of Pronsis Loader, a commodity malware being operated primarily by financially motivated threat actors. Upon installation, this payload initiates a multi-stage delivery chain using self-extracting archives, ultimately executing PURESTEALER on the victim device. PURESTEALER is a heavily obfuscated commodity infostealer designed to steal browser data, cryptocurrency wallets, and from various other applications.
The Android Package (APK) file downloaded from the Civil Defense website "CivilDefensse.apk" (MD5: 31cdae71f21e1fad7581b5f305a9d185) is a variant of the commercially available Android backdoor CRAXSRAT. When opened, this version requests the Android REQUEST_INSTALL_PACKAGES permission from the user, which if granted, downloads the CRAXSRAT payload from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk.
As part of its efforts to combat serious threat actors, Google continuously monitors for Android spyware and deploys protections in Google Play Protect. The company also adds identified websites, domains, and files to Safe Browsing to protect users from further exploitation. Furthermore, Google shares its findings with Ukraine's national authorities who have taken action to disrupt the campaign's reach by blocking resolution of the actor-controlled "Civil Defense" website nationally.
The UNC5812 operation is part of a wider spike in operational interest from Russian threat actors following changes made to Ukraine's national mobilization laws in 2024. Research has shown that pro-Russia influence actors have been persistently targeting potential military recruits with messaging undermining Ukraine's mobilization drive and sowing public distrust in the officials carrying it out.
From a tradecraft perspective, UNC5812's campaign is highly characteristic of the emphasis Russia places on achieving cognitive effect via its cyber capabilities. The prominent role that messaging apps continue to play in malware delivery and other cyber dimensions of Russia's war in Ukraine is highlighted by this operation.
Indicators of Compromise
For a more comprehensive set of UNC5812 indicators of compromise, a Google Threat Intelligence Collection is available for registered users.
Related Information:
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives/
https://cloud.google.com/blog/topics/threat-intelligence/russian-espionage-influence-ukrainian-military-recruits-anti-mobilization-narratives
https://www.newyorker.com/magazine/2024/09/16/russias-espionage-war-in-the-arctic
https://www.crowdstrike.com/en-us/blog/who-is-fancy-bear/
https://portswigger.net/daily-swig/who-is-behind-apt29-what-we-know-about-this-nation-state-cybercrime-group
Published: Mon Oct 28 09:34:35 2024 by llama3.2 3B Q4_K_M
