February 1, 2024 at 03:56PM
A Russian advanced persistent threat (APT) group, believed to be related to Shuckworm, has initiated a targeted PowerShell attack campaign against the Ukrainian military using a newly discovered backdoor, STEADY#URSA. The attackers employ various evasion and obfuscation techniques, and their approach involves distributing malicious payloads through phishing emails and USB drives. The attack utilizes off-disk/PowerShell stagers for execution and communication via Telegram for command and control. The attack exhibits similarities with previous cyber campaigns against the Ukrainian military and highlights the growing sophistication of state-backed malicious actors in conflicts. Organizations are advised to implement proactive measures such as user education programs, strict policies, and enhanced security solutions to mitigate risks.
Based on the meeting notes, the key takeaways are as follows:
1. A sophisticated Russian advanced persistent threat (APT) has targeted the Ukrainian military using a PowerShell attack campaign known as STEADY#URSA.
2. The attack employs a newly discovered SUBTLE-PAWS PowerShell-based backdoor to infiltrate and compromise targeted systems, allowing threat actors to gain unauthorized access, execute commands, and maintain persistence within compromised systems.
3. The malicious campaign involves distributing a payload through compressed files delivered via phishing emails and utilizing USB drives for distribution and lateral movement of the malware, bypassing the need to access the network directly. This approach is challenging due to Ukraine’s air-gapped communications like Starlink.
4. The SUBTLE-PAWS backdoor differentiates itself by relying on off-disk/PowerShell stagers for execution, avoiding traditional binary payloads, and employing additional layers of obfuscation and evasion techniques.
5. The malware establishes command and control (C2) by communicating via Telegram with a remote server, using adaptive methods such as DNS queries and HTTP requests with dynamically stored IP addresses.
6. The targeted entity executes a malicious shortcut (.lnk) file, initiating the loading and execution of a new PowerShell backdoor payload code.
7. Proactive measures recommended include implementing user education programs, increasing awareness around the use of malicious .lnk payloads on external drives, enforcing strict policies and user file decompression, and implementing device control policies to restrict unauthorized USB usage.
8. To enhance log detection coverage, recommended actions include deploying additional process-level logging, such as Sysmon and PowerShell logging, enforcing strict application whitelisting policies, and implementing enhanced email filtering, system monitoring, and endpoint detection and response solutions.
Additionally, it was noted that the ongoing ground war in Ukraine extends to the digital realm, with examples of cyberattacks perpetrated against Ukraine’s mobile telecom operator and the Ukrainian military by Russian threat actors. The evolving sophistication of these cyber threats indicates that state-backed malicious actors are modernizing their malware techniques and collaborating to launch more complex attacks.
Please let me know if you need further details or have any specific questions related to the meeting notes.