{ "name": "Report on Ukraine government attack campaign", "slug": "report-on-ukraine-government-attack-campaign", "description": "Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat.", "published": "2024-08-23T06:56:42+00:00", "created_at": "2024-08-23T06:56:42+00:00", "modified_at": "2024-08-23T07:02:09+00:00", "created_at_opencti": "2024-08-23T06:56:42+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2024-08-23", "data theft", "exfiltration", "firmachagent", "government", "malware", "powershell", "spectr", "ukraine" ], "related_entities": { "observables": [ { "id": "", "name": "91.225.219.185" }, { "id": "", "name": "171.22.120.50" }, { "id": "", "name": "http://ukraero.space/jobs/upload" }, { "id": "", "name": "http://ukraero.space/jobs/download" }, { "id": "", "name": "http://prozorro.online/info/docx/recon" }, { "id": "", "name": "http://prozorro.online/data/spysok_kursk.zip" }, { "id": "", "name": "http://171.22.120.50/data/chrome_updater.txt" }, { "id": "", "name": "http://171.22.120.50/data/USB.txt" }, { "id": "", "name": "http://171.22.120.50/data/Social.txt" }, { "id": "", "name": "http://171.22.120.50/data/Screen.txt" }, { "id": "", "name": "http://171.22.120.50/data/IDCLIPNET_x86.txt" }, { "id": "", "name": "http://171.22.120.50/data/Files.txt" }, { "id": "", "name": "http://171.22.120.50/data/Browser.txt" }, { "id": "", "name": "ukraero.space" }, { "id": "", "name": "prozorro.online" }, { "id": "", "name": "f94b8d2391b53dfb96035a2ba628224c3bfedf77021c896b64a0d7c8f2121e17" }, { "id": "", "name": "f00c85d9db7a2a2bf248771b8d81d978fa6d2153e6a3095d9c5896b604e9d00d" }, { "id": "", "name": "eef9f73dc7e0cdd4b1780ecd20845496a91e0f1c096264208d991935c5e97308" }, { "id": "", "name": "ea1945d887cbe8a56234cec6da2c46ed7a28ae6a69fd49181b3d13a71943ffd9" }, { "id": "", "name": "d44ff1bd3c7ff81228548c82ea68c33bdea780772ce55dc4be2d4156985a326a" }, { "id": "", "name": "d16239cfbee14a8621637934aebe2d5253fea04940d2eb082bd8dcdc41111d4b" }, { "id": "", "name": "b95ef984bfb22c55881931b134deaf1b848fbfda4180fc393b9f532f51089cbb" }, { "id": "", "name": "ad30e29ba883c3f528d2782dbc3d1b5258815b619c6dfc3639fee416cf27fb1f" }, { "id": "", "name": "8d4808ed167ac91724e8ab4da24bcc3bd2159a4972c212a1cd4062f02a3731d0" }, { "id": "", "name": "8987952745a8d46a8f2e6d1666cc9c542b6a9a96787ef467c76b779a8b6c1a66" }, { "id": "", "name": "8612668466f9c8a180e0e9a3c92c85a03788f2f0bb3c6bf70f52c356e02702db" }, { "id": "", "name": "6a18392e3e062ce0fcd4688c0b09e482855cf709eb178437d8fe2cdc9cfdf51f" }, { "id": "", "name": "68fe595237eec1261184a5f3a00cc0f678a33751615796942001997575887557" }, { "id": "", "name": "3e6c13f9e4cee9b8d55d7a83fd3c3d5d6d09b6c477c4f84fd79db6cc8de7ea42" }, { "id": "", "name": "4d8918cfcc97ca63666937e5d53373793f3695a2b1177e27a78aa34303c2ee80" }, { "id": "", "name": "21c33c8365218b7fb1bbb0d45af77926877fb33384ef58fbbb6db04b9df55eb6" }, { "id": "", "name": "087158ad28080ef438047b88896dfa1962d1cd6fed8fce06e35c25f91ad5f1ff" }, { "id": "", "name": "180f9a2d3de0b5f031408797286837bb4b10b2a6d8797cf985347f5d80f9e4a0" } ], "malware": [ { "id": "legacy:malware:694617a96897755a", "name": "FIRMACHAGENT", "slug": "firmachagent" }, { "id": "legacy:malware:32777eefa86a7bce", "name": "SPECTR", "slug": "spectr" } ], "intrusion_sets": [ { "id": "fccaa42c-58bf-4a81-8f60-f98c543182c8", "name": "Unknown", "slug": "unknown" } ], "attack_patterns": [ { "id": "e9e1d2b9-b5ed-4272-bd92-27c9bcb1fb29", "name": "T1180" }, { "id": "146a6f45-ec55-4d0e-a38c-1b614c3f72d2", "name": "T1193" }, { "id": "eb60c94a-2d33-4605-ab3f-982fac7c223b", "name": "T1022" }, { "id": "603dec1d-5be8-4f66-9f24-18192e20f444", "name": "T1094" }, { "id": "5e7cb3d2-6a97-48b2-bdd2-f11eee10f6dc", "name": "T1137" }, { "id": "3be1a227-bbd0-4e76-9422-40e4078224f9", "name": "T1007" }, { "id": "f6ceeba2-b50c-47dc-8642-ab9842ca76d7", "name": "T1018" }, { "id": "93b2c4dd-5523-4464-8976-78754ee372fd", "name": "T1012" }, { "id": "926a888c-190c-4efb-ab6b-f9d7e6a0fc54", "name": "T1547" }, { "id": "29398669-98ed-4766-9dac-f9632f7175ff", "name": "T1518" }, { "id": "70616b2f-4019-4963-b758-5d9f6f20e201", "name": "T1082" }, { "id": "cbd87c8c-3bed-461a-acef-56ffc8b87571", "name": "T1105" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "14da8ebf-e0b0-4d4e-9c83-56277980f266", "name": "T1134" }, { "id": "7d7ac733-6442-416f-8669-c302dd0843b9", "name": "T1036" }, { "id": "50514c04-b3a2-4abf-a855-e3a434200c87", "name": "T1204" }, { "id": "bb20a9e1-f4f6-459d-94f4-470c6867dc2d", "name": "T1053" }, { "id": "0b2b1ecd-d52e-492a-af08-050954bc03e5", "name": "T1056" }, { "id": "9f11a241-9abc-4c57-95dd-33955ab08826", "name": "T1078" }, { "id": "9b6064e6-a05b-4e95-baf5-34d180bc9221", "name": "T1059" } ], "others": [ { "id": "", "name": "Ukraine" } ] }, "external_refs": [ "https://otx.alienvault.com/pulse/66c84eca6298cd5a4bb0ec77" ] }