Targeted Spear Phishing outbreak in Ukraine (SageCrypt ransomware?)
A friend from a large Ukrainian enterprise has approached me on Aug 22 to inform about a targeted spear phishing attack apparently going on across the country. I have heard some scarce similar signals since Friday, Aug 18, but had no details on what’s going on.
In their case, my friend told me, the attackers has been masking under the guise of their legitimate business partner: while the email carrying the payload has been sent from the ukrpost.net free email ISP, the message from: and reply-to: headers contained legitimate email addresses of one of the companies they frequently communicate with.
The attachment was a 7zip archive of 3 files
59b9408cc92f71cd5ac151ef6ca7f09600d26dc9 Довідка.pdf
7aaf6368b14d6a406bdaf6d506f5883d8b5a4f38 Рахунок.js
ccd9702a2bdb349893b59b1ad5d4ed5a65b5fa9e реквізити.docand the JS file has caught my attention. It is a primitively obfuscated JS payload, that appears to download an executable
a60dbff9b58a3d95a59046172cf992a67b4fe3ef load.exefrom three apparently infected domains
cfm.com.ua
nolovenolivethiiswarinworld.com
crystalmind.ruThe first domain belongs to (surprise) a local Ukrainian software firm that focuses on finance and accounting. The path to load.exe on its website has been swiftly blocked by the web-hosting provider, perhaps as a reaction of the abuse report another friend of mine filed yesterday.
The executable detects as SageCrypt by quite a few antiviruses. SageCrypt is a private partner crypto-ransom tool that is, from what I’ve heard from the threat intel people I hang with, is not very frequently used against the targets in the former USSR, because its vendors openly don’t approve it. Guess why, huh?
From what I’ve seen so far, I’m not ready to jump to any conclusions on attribution. However, this activity looks like pretty well planned and seems to have a lot of Ukraine-related input data collected as a result of previous attacks. My gut feeling is: the attackers know the region really well and have access to deeply “local” resources.
The attack is closely followed by a few labs out there. It looks like OpenDNS is already blocking access to its attack infrastucture. Also, you can temporarily block access to the files and execution of scripts/execs via Microsoft ATP. The JS creates a local .exe file named by a random number from 1 to 1000 (e.g. 964.exe) and runs it. Also, the actual execution of the file is issued by `cmd /c` with two spaces before the command switch. The number of AVs that catch it grows every hour, hough I’ve seen 3/63 rate on VirusTotal yesterday when it just started.
The fun thing is that the JS has a general IF clause it checks before the execution:
if(dates < ‘2017–29–09 20:19:34’){The only readable string in load.exe apart of its .Net manifest is the path to
C:\backward\inch\enumeration\Atmel\neces.pdband I frankly have no idea what it is.
Be safe.
P.S. The docs spread with the payload look like this:


