Hive0117 continues fileless malware delivery in Eastern Europe

0

Through ongoing ongoing cyber activity investigations across Eastern Europe, IBM Security X-Force has identified a phishing email campaign by Hive0117, likely a financially motivated cybercriminal group, from February 2022, designed to spread the fileless malware variant called DarkWatchman. The campaign poses as official communications of the Federal Service of Judicial Officers of the Russian government, the emails in Russian are addressed to users in Lithuania, Estonia and Russia in the telecommunications, electronics and industry. The activity predates the Russian invasion of Ukraine and does not appear to be associated with it.

X-Force believes that it is possible that the targeting of telecommunications providers and their adjacent industry vendors may be intended to ultimately serve to enable illegal access to many distributed customers and end users.

DarkWatchman is a malicious JavaScript-based Remote Access Trojan (RAT) using command-and-control (C2) mechanisms for fileless persistence and other features.

The phishing activity uncovered by X-Force (tracked internally as Hive0117) aligns with research published in December 2021, detailing a similar phishing campaign designed to deliver a DarkWatchman payload by impersonating a cargo company and logistics based in Russia.

Given the high levels of threat activity associated with the ongoing regional crisis, evidence may suggest that threat actors will take advantage of the current climate to conduct and mask other activities.

Hive0117 Activity Rating

X-Force assesses that the Hive0117 phishing campaigns are likely criminal in nature given the target selection and objectives of current and previous activity. Additionally, while the list of phishing campaign targets attributed to Hive0117 has regional associations with the Russian invasion of Ukraine, the activity predates the invasion, indicating separation from any politically charged association that spurred recent waves of criminal activity, such as the attack on a German subsidiary of a state-affiliated Russian energy company.

Nonetheless, given the evolving nature of conflict-driven criminal activity, linguistic ability, target focus, and relative sophistication of the actor, it is likely that Hive0117-related activity poses an elevated threat to entities and businesses based in the region.

Hive0117 Phishing Activity

X-Force discovered several emails that were sent in mid-February 2022 to individual users, including a public communications company based in Lithuania, a leading industrial company in Estonia, and several electronics and telecommunications companies located in Russia. In some cases, the emails targeted business owners, as well as people in leadership positions associated with dispatch and sales. Targeted organizations could be of great value to criminal actors given the targets’ potential for reliable access to a large and distributed customer base.

The emails are designed to appear to come from the official address of the Federal Service of Judicial Officers in Russia, a federal law enforcement agency under the Russian Ministry of Justice; however, examination of the header revealed that some of the emails were from shtampuy[.]ru (free.ds [185.64.76.158]). The majority of emails include the return path address [email protected][.]fssrus[.]ru, intended to imitate the authentic address of the organization https://r77.fssp.gov[.]ru. However, for unknown reasons, only one example mimics a sender who seeks to impersonate the head of an alleged Russian investment company. The subject lines of Hive0117’s emails, including official notices, are eye-catching and are likely intended to compel the target to open the email and access the attachment.

Image 1: Sample email return path and subject line

The content of the emails includes identical text in the Russian language detailing several articles related to enforcement proceedings associated with the Kuntsevsky District Court in Moscow, confirmed by the “bailiff of the interdistrict department of bailiffs for the execution of decisions of tax authorities”. The only variation seen by X-Force in the emails is in the name and “case number” associated with the individual email and the accompanying malicious ZIP archive file attachment.

Image 2: Sample email body

X-Force believes that it is possible that the targeting of telecommunications providers and their adjacent industry vendors may be intended to ultimately serve to enable illegal access to many distributed customers and end users.

Malware Payload

Emails discovered by X-Force contain archive files named “Исполнительный лист XXXXXXX-22.zip”, where the “X” indicates a numerical value, or “Счет 63711-21 от 30.12.2021.zip”, translated as “Performance List”, “Enforcement Title”, and “Invoice”, respectively. Each archive file contains an executable of the same name, designed to provide the DarkWatchman JavaScript backdoor and encrypted source code for a keylogger of the same way as the December 2021 report.

Additionally, X-Force discovered download files designed to deliver the DarkWatchman malware, by contacting domtut[.]site|fun|online and downloading files from %TEMP%. Upon execution, a self-extracting (SFX) archive installer drops two files: a Javascript (JS) file and a file containing a series of hexadecimal characters. The JS file contains obfuscated code which works as the backdoor and the hex data contains encrypted data which when decrypted contains a base64 encoded PowerShell block which runs a keylogger. The setup contains a comment in Russian text, which translates to “The comment below contains SFX script commands” (;Расположенный ниже комментарий содержит команды SFX-сценария), stating that the language author is the malware Russian, possibly based in , or originating from a Russian-speaking territory.

Given the fileless nature of the malware, combined with JavaScript and a keylogger written in C#, and the ability to erase traces of its existence on the compromised system on instruction, X-Force assesses that the Malicious actors behind Hive0117’s activity are of moderate refinement.

Malware infrastructure

The majority of new malware samples discovered by X-Force appear to be based on a C2 IP address (103.153.157[.]33) previously associated with Hive0117 activity. One of the samples was submitted to Virus Total in February 2022 and is configured to use multiple C2 domains, including d303790c[.]top, which overlaps with the previously discovered malicious executable Накладная №12-6317-3621.exe.

The DarkWatchman malware analyzed by X-Force uses a Domain Generation Algorithm (DGA) to generate a list of C2 domains, in which the malware attempts to communicate. The DGA requires a salt as an input stored in the configuration key bor the default salt d46ebd15 is used if the key is not defined. A list of hard-coded domain strings is contained in an array, with the analyzed samples containing the following list:

3a60dc39, 4d67ecaf, d303790c, a404499a, 3d0d1820, 4a0a28b6, dab53527, adb205b1, 44e645b3, 500ed27c, c8690767, 17c45148, 13e1ced9, e123fe80, 136e9446, 5937c7c6, 7c7cb9a4, 9eaa332e, 97815a39, 6a090054

IOC

Files

File name Chop
Исполнительный лист 1840120-22.exe d68180819bb8eb8207dc6ab74c1a4642
Исполнительный list 1909102-22.exe 2bd8ee514c13a06687b5775e0a9eaf71
Исполнительный лист 16301123-22.exe b25b24998800da7b5cf17879f2eb83ed
Исполнительный лист 1711390-22.exe 79b824bb99b4cc4f5da880371de52977
Исполнительный лист 154211671.scr a4f19fba9a5ec97d3560cd43c4bd5507
Исполнительный лист 154211671.scr a34809f26a22e0127e99597fed9169bf
File 63711-21 from 30.12.2021.exe 75a3b83d2b4131132d76d92190f045ec

Areas

3a60dc39[.](top|fun|online|site)
4d67ecaf[.](top|fun|online|site)
d303790c[.](top|fun|online|site)
a404499a[.](top|fun|online|site)
3d0d1820[.](top|fun|online|site)
4a0a28b6[.](top|fun|online|site)
dab53527[.](top|fun|online|site)
adb205b1[.](top|fun|online|site)
44e645b3[.](top|fun|online|site)
500ed27c[.](top|fun|online|site)
c8690767[.](top|fun|online|site)
17c45148[.](top|fun|online|site)
13e1ced9[.](top|fun|online|site)
e123fe80[.](top|fun|online|site)
136e9446[.](top|fun|online|site)
5937c7c6[.](top|fun|online|site)
7c7cb9a4[.](top|fun|online|site)
9eaa332e[.](top|fun|online|site)
97815a39[.](top|fun|online|site)
6a090054[.](top|fun|online|site)

URLs

http[:]//domtut[.](fun|online|site)

IP addresses

103.153.157.33

Share.

Comments are closed.