Defense sectors in Ukraine and Eastern Europe are targeted with a new .NET-based backdoor. delivery confirmation (aka CAPIBAR or GAMEDAY) can deliver the next stage payload.
Microsoft’s threat intelligence team, working with Ukraine’s Computer Emergency Response Team (CERT-UA), has determined that the attack was carried out by a Russian nation-state actor known as Turla. This attack was carried out by Iron Hunter, Secret Blizzard (also tracked by the former name Krypton), Ouroboros, Poison Bear, and Water Bug. Associated with the Russian Federal Security Service (FSB).
“DeliverCheck is distributed via email as a document containing malicious macros,” the company said. Said in a series of tweets. “This persists via a scheduled task that downloads into memory and launches. It also connects to a C2 server to retrieve tasks. may include launching the
Successful initial access sometimes also involves distribution of a known Turla implant called Kazuar, capable of stealing application configuration files, event logs, and a wide range of data from web browsers.
The ultimate goal of the attack is to steal messages from the Signal messaging app for Windows, giving the attacker access to sensitive conversations, documents, and images on the targeted system.
DeliveryCheck is notable for infiltrating Microsoft Exchange servers and installing server-side components using PowerShell Desired State Configuration (DSC), a PowerShell management platform that helps administrators automate the configuration of Windows systems. It’s a function.
“DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads an embedded .NET payload into memory, effectively turning a legitimate server into a malware C2 center,” explained Microsoft.
Shielding Against Insider Threats: Mastering SaaS Security Posture Management
Worried about insider threats? We’ve got you covered! Join us for this webinar to explore practical strategies and proactive security secrets using SaaS Security Posture Management.
join today
The revelations involved Ukrainian cyber police spreading hostile propaganda that justified Russia’s aggression, leaking personal information of Ukrainian citizens, and belonging to more than 100 individuals who were allegedly involved in various fraudulent schemes. It was done while dismantling a large-scale bot farm.
As part of the operation, 21 locations were raided and computer equipment, mobile phones, more than 250 GSM gateways and about 150,000 SIM cards from various mobile operators were seized.
