Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense.
The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division.
It’s originally entitled
“Представники ГУР МО України провели брифінг для експертів зі
стратегічних комунікацій країн – членів НАТО”
or, translated from original,
“Representatives of the Ministry of Defense of Ukraine held a briefing for experts from strategic communications of NATO member states“
and it refers to a real event held on July 20, 2019.
The content of the malicious document appears as the following:
It is armed with macro code aimed at downloading and executing a second stage payload through MSXML2 and WScript on the activation of sub Document_Open. It is worth pointing out that this macro creates a custom C2 URL for each victim that executes it, with the following format
hxxp://wifc.website/<computer name>_<C:volume serial/ExelCreate_v.701E9CFA.sms
Following a frame of the macro code used
At the time of analysis, the malicious domain name is pointing to 5.252.193[.]204, as reported following
Further investigation on the associated IP address reveals an already known threat history. Like many recent cases in which this threat group was involved, the second stage is composed by an archive that acts as implanter and downloader of further malicious components.
As can be observed in the following frame, the 1st stage code is designed to create new files and lauch them under the path
A version of wget.exe is copied under
with a .vbs and .cmd file having similar file names.
A scheduled task pointing a .vbs file previously created is then added and executed every 30 mins.
The .vbs file is designed to lauch the .cmd file. It acts as downloader requesting another custom created URL for each victim to the domain name bitsadmin8.space. The onsite request makes use of the following user-agent
Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
Finally, we observed the last infection stage to be composed of a variant of UltraVNC software. Observing UltraVNC in incidents related to PRIMITIVE BEAR is not uncommon. Indeed, it has been widely used for many years by this threat group
Unlike other threat actors, PRIMITIVE BEAR seems exclusively focused on compromise targets belonging to a single nation: Ukraine. Artifacts and TTPs of the group did not change so much regarding 1st and 2nd stage implanters. From a technical point of view, they may appear unsophisticated in creating their malware samples, but very often they achieve a low detection rate employing open source, scripts and commercial RAT tools like UltraVNC to perform their operations.
Additional Indicators of Compromise (IoC) and Yara / Snort rules are available by subscribing a Telsy CTI service.