Recently we catched a NATO-themed malicious lure document to be likely associated with a new PRIMITIVE BEAR operation conducted against Ukrainian defense and government agencies. According to its metadata, the document is newly created (exactly on 22/07/2019) and aims to replicate an official press release from the Main Directorate of Intelligence of the Ukrainian Ministry of Defense.

The press release concerned a meeting between representatives of the Ukrainian Ministry of Information Policy, the Ukrainian Ministry of Foreign Affairs, the Ukrainian National Institute for Strategic Studies, and NATO’s Strategic Communications division.

It’s originally entitled

Представники ГУР МО України провели брифінг для експертів зі
стратегічних комунікацій країн – членів НАТО

or, translated from original,

Representatives of the Ministry of Defense of Ukraine held a briefing for experts from strategic communications of NATO member states

and it refers to a real event held on July 20, 2019.

// Insights

The content of the malicious document appears as the following:

NATO-Themed PRIMITIVE BEAR lure document

It is armed with macro code aimed at downloading and executing a second stage payload through MSXML2 and WScript on the activation of sub Document_Open. It is worth pointing out that this macro creates a custom C2 URL for each victim that executes it, with the following format

hxxp://wifc.website/<computer name>_<C:volume serial/ExelCreate_v.701E9CFA.sms

Following a frame of the macro code used

At the time of analysis, the malicious domain name is pointing to 5.252.193[.]204, as reported following

Further investigation on the associated IP address reveals an already known threat history. Like many recent cases in which this threat group was involved, the second stage is composed by an archive that acts as implanter and downloader of further malicious components.

As can be observed in the following frame, the 1st stage code is designed to create new files and lauch them under the path

%LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}/


A version of wget.exe is copied under

%LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}/ S-1-5-21-1946307144-2816287778-3653288010-1000.exe

with a .vbs and .cmd file having similar file names.

A scheduled task pointing a .vbs file previously created is then added and executed every 30 mins.

The .vbs file is designed to lauch the .cmd file. It acts as downloader requesting another custom created URL for each victim to the domain name bitsadmin8.space. The onsite request makes use of the following user-agent

Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1

Finally, we observed the last infection stage to be composed of a variant of UltraVNC software. Observing UltraVNC in incidents related to PRIMITIVE BEAR is not uncommon. Indeed, it has been widely used for many years by this threat group

// Conclusion

Unlike other threat actors, PRIMITIVE BEAR seems exclusively focused on compromise targets belonging to a single nation: Ukraine. Artifacts and TTPs of the group did not change so much regarding 1st and 2nd stage implanters. From a technical point of view, they may appear unsophisticated in creating their malware samples, but very often they achieve a low detection rate employing open source, scripts and commercial RAT tools like UltraVNC to perform their operations.

// IoC

FOLDER: %LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}

FILE: %LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}/S-1-5-21-1946307144-2816287778-3653288010-1000.exe

FILE: %LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}/S-1-5-21-1946307144-2816287778-3653288010-1000.cmd

FILE: %LOCALAPPDATA%/Microsoft/Feeds/{D957D492-1447-4250-8853-27E5446864E7}/S-1-5-21-1946307144-2816287778-3653288010-1000.vbs

IP: 5.252.193.204

FQDN: wifc.website

FQDN: bitsadmin8.space

FQDN: redict.ddns.net

SHA256: 79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1

SHA256: d54efc2084b5fe74ac4c03a1b6d85b28fb18623b5fded7f6a055e0c6d22bf9e3

SHA256: cc727be7fc186b9dfc7199bf458b35b4c16caa7979dff896f1e586d89b41a05f

Additional Indicators of Compromise (IoC) and Yara / Snort rules are available by subscribing a Telsy CTI service.