For a few months Cluster25 collected and analyzed several malicious activities which then were internally linked with the threat actor known as UNC1151 (aka GhostWriter), an adversary believed to be linked to the Belarusian government. In July 2020 Mandiant Threat Intelligence released a public report about an ongoing influence campaign named “GhostWriter“. The campaign was addressed to audiences in Lithuania, Latvia and Poland making use of critical messages against the NATO’s presence in Eastern Europe.

In addition to this type of operations, UNC1151 seems to be further active also in the compromise of objectives of strategic importance. On March 4, 2022, Cluster25 collected a malicious document designed to spread malware for espionage purposes against targets located in Ukraine that displays the logos of the Ukrainian President’s office and secret services with content relating to advice on dealing with the bombing.

INSIGHTS

The document is a Microsoft Compressed HTML Help (CHM) file named dovidka.chm. After extracting the file, it shows the following structure:

dividka.chm contains a file named file.htm that in its turn contains obfuscated vbscript (VBS) code as reported following:

C:UsersPublicFavoritesdesktop.ini

then it writes a second VBS script under the path

C:UsersPublicignit.vbs

After that, it runs the latter script, deletes it and finally runs the command

wscript.exe //B //E:vbs C:UsersPublicFavoritesdesktop.ini

The script ignit.vbs decodes and writes the following files:

• C:UsersPublicLibrariescore.dll
• C:UsersPublicFavoritesdesktop.ini
• C:ProgramDataMicrosoftWindows Start MenuProgramsStartupWindows Prefetch.lnk

The desktop.ini file runs the following command, which executes the file core.dll with the Microsoft Assembly Registration Tool (Regasm.exe):

C:WindowsMicrosoft.NETFrameworkv4.0.30319regasm.exe  /U “C:UsersPublicLibrariescore.dll”

MICROLOADER

The file core.dll is a DLL file in .NET code compiled on Monday January 31^st 2022 at 15:00:46 UTC. Code obfuscation and anti-tampering techniques have been used to hinder the analysis. The kind of anti-tampering techniques  used shows similarities with the use of the open-source code-protector tool for .NET named ConfuserEx. This is because several methods appear as empty and decompilation exceptions are present when the file is open in tools such as dnSpy, as reported in the image below:

We thought to make the code a little more readable by setting a breakpoint after the anti-tamper method (first method in the constructor) and by replacing the method with NOPs to finally save and reopen the module in dnSpy. This is necessary since the method is responsible for changing the RVA values of the methods. After this is executed, the values are correct, so it is possible to dump the new version of the DLL, but it is also necessary to avoid the anti-tamper method to be called in the next execution, otherwise it would change the values again.

MICROBACKDOOR

The piece of code in the new thread it’s basically meant to perform a connection to the domain xbeta[.]online attested on IP address 185.175.158[.]27. 

• id
• info
• ping
• exit
• upd
• uninst
• exec
• shell
• flist
• fget
• fput
• screenshot

The implant is able to perform any classic operation in support of activities aimed at espionage, such as collecting data relating to the machine in which it is operating, downloading and transferring files, executing arbitrary commands, capturing screenshots etc. etc.

CONCLUSIONS

The relations between Russia and Belarus date back in 1991 with the signing of the Belovezh Accords on the ending of the USSR and the establishment of the Commonwealth of Independent States (CIS). In the actual conflict going on in Ukraine more than once Minsk showed its support to Moscow even if publicly Lukashenko said that he’ll avoid the participation of Belarusian soldiers. In case of an escalation it’s likely that Belarus will assist Russia militarily. On the basis of the above, however, it seems that the Belarusian government is already openly participating in offensive operations in the cyber domain by protecting Russian interest.

INDICATORS OF COMPROMISE

ATT&CK MATRIX

DETECTION