One Article Review
| Source |  Fortinet ThreatSignal |
|---|---|
| Identifiant | 4252509 |
| Date de publication | 2022-03-09 18:28:40 (vue: 2022-03-10 03:05:25) |
| Titre | MicroBackdoor Used in Attacks Against Ukraine Organizations |
| Texte | FortiGuard Labs is aware of a report from CERT-UA that Ukrainian organizations are under cyberattacks that aim to install a publicly available backdoor named "MicroBackdoor." The cyberattacks are attributed to APT group "UAC-0051", also known as unc1151, who has reportedly acted for Belarusian government's interests in the past.Why is this Significant?This is significant because, according to CERT-UA, Ukraine organizations were attacked by an APT group whose past activities are said to be aligned with Belarusian government's interests.What's the Detail of the Attack?Unfortunately, the initial attack vector is unknown. What's known is that the victims received "dovidka.zip", which contains "dovidka.chm". The CHM file contains two files. An image.jpg is an image file used as a decoy. Another file is file.htm, which creates "ignit.vbs". The VBS file decodes three files: "core.dll," "desktop.ini" and "Windows Prefetch.lnk." The LNK file launches the INI file using wscript.exe. Then, the INI file runs the DLL using regasm.exe. The core.dll is a .NET loader that decodes and executes MicroBackdoor on the compromised machine.What is MicroBackdoor?MicroBackdoor is a publicly available backdoor that receives commands from a Command and Control (C2) server and performs various activities.According to the description on the MicroBackdoor repository"Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs."What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available files involved in the attack:PossibleThreat.PALLAS.HVBS/Agent.OVE!trLNK/Agent.7AB4!trAll network IOCs are blocked by the WebFiltering client. |
| Envoyé | Oui |
| Condensat | 0051 2003 2008 2012 2016 2019 7ab4 according acted activities against aim aligned also another any apt are attack attack:possiblethreat attacked attacks attributed available aware backdoor because belarusian bit blocked cert chm client command commands compromised contains control core coverage creates cyberattacks decodes decoy description desktop detail dll dovidka editions exe executes file files files: following fortiguard from government group has htm hvbs/agent ignit image ini initial install interests involved iocs jpg known labs languages launches lnk loader machine micro microbackdoor named net network organizations ove packs pallas past performs prefetch provide publicly received receives regasm report reportedly repository runs said server service significant status supports then three trall trlnk/agent two uac ukraine ukrainian unc1151 under unfortunately unknown used using various vbs vector versions victims vista webfiltering what which who whose why windows wscript zip |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.