The Russian-controlled puppet statelet "Luhansk People's Republic" ("LPR"), which occupies certain districts in Ukraine's Luhansk region, is reportedly behind a recent spear-phishing attack with the use of RatVermin spyware against Ukrainian government agencies and the military.
"This actor has likely been active since at least 2014, and its continuous targeting of the Ukrainian government suggests a cyber-espionage motivation," John Hultquist, Ben Read, Oleg Bondarenko and Chi-en Shen, researchers with the FireEye Threat Intelligence research group, said in a Tuesday analysis. "This is supported by the ties to the so-called LPR's security service. While more evidence is needed for definitive attribution, this activity showcases the accessibility of competent cyber-espionage capabilities, even to sub-state actors. While this specific group is primarily a threat to Ukraine, nascent threats to Ukraine have previously become international concerns and bear monitoring."
The threat was identified in early 2019. The malware was spread via emails with malicious LNK files with PowerShell scripts designed to download a second-stage payload from the command and control (C&C) server. The email was received by military departments in Ukraine and included lure content related to the sale of demining machines.
The sender pretended to be from Armtrac, a U.K-based defense manufacturer allegedly offering demining machines. The email included an attachment called "Armtrac-Commercial.7z," which contained two harmless Armtrac documents (they were real documents from Armtrac's official website) and one malicious LNK file (with a substituted Microsoft Word icon to trick victims).
The "LPR" is seen as a probable actor as the domain used by the command-and-control (C2) server in the attack was registered under the same email ([email protected][.]ru) as several other domains – including one for the "official" website of the "LPR" Ministry of State Security ("MGB LNR").
According to FireEye Threat Intelligence, compilation times indicate that this actor, who focused primarily on Ukraine, may have been active since at least 2014. "Their activity was first reported by FireEye Threat Intelligence in early 2018. They gradually increased in sophistication and leveraged both custom and open-source malware," researchers said.
"This latest activity is a continuation of spear-phishing that targeted the Ukrainian government as early as 2014. The email is linked to activity that previously targeted the Ukrainian Government with RatVermin. Infrastructure analysis indicates the actors behind the intrusion activity may be associated with the so-called Luhansk People's Republic (LPR)," researchers said.
Other domains linked to the email include several ones mimicking large news portals in Ukraine, a website of Ukrainian Prime Minister Volodymyr Groysman, and one of the largest weather portals in Ukraine.
Researchers say that the operators are highly aggressive and proactive. "The actor is highly interactive with its tools and has responded within a couple of hours of receiving a new victim, demonstrating its ability to react quickly," they say.
"An example of this hands-on style of operation occurred during live malware analysis. RATVERMIN operators observed that the malware was running from an unintended target at approximately 1700 GMT (12:00 PM Eastern Standard Time on a weekday) and promptly executed the publicly available Hidden Tear ransomware (saved to disk as hell0.exe, MD5: 8ff9bf73e23ce2c31e65874b34c54eac). The ransomware process was killed before it could execute successfully. If the Hidden Tear continued execution, a file would have been left on the desktop with the following message: 'Files have been encrypted with hidden tear. Send me some bitcoins or kebab. And I also hate night clubs, desserts, being drunk,'" the group gave an example.
UNIAN memo. FireEye, founded in 2004, is a U.S.-based public cybersecurity company that provides hardware, software, and services to investigate cybersecurity attacks, protect against malicious software, and analyze IT security risks.