Russian Ukraine War Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 23 Nov 2022 09:18:27 +0000 en-US hourly 1 https://wordpress.org/?v=68947 200474804 Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army https://gridinsoft.com/blogs/hacker-group-xdspy/ https://gridinsoft.com/blogs/hacker-group-xdspy/#respond Mon, 10 Oct 2022 11:34:25 +0000 https://gridinsoft.com/blogs/?p=11025 In early October, Kaspersky Lab experts recorded a targeted attack on Russian organizations: attackers from the XDSpy hacker group sent several hundred malicious emails allegedly related to the topic of the so-called “partial mobilization”. Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a… Continue reading Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army

The post Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army appeared first on Gridinsoft Blog.

]]>
In early October, Kaspersky Lab experts recorded a targeted attack on Russian organizations: attackers from the XDSpy hacker group sent several hundred malicious emails allegedly related to the topic of the so-called “partial mobilization”.

Recall that dictator Vladimir Putin in September announced the mobilization into the armed forces of Russia against the backdrop of a series of defeats during the aggression against Ukraine.

partial mobilization
“Partial mobilization” in Russia

And we also note that Kaspersky Lab may well be connected with the Russian intelligence, therefore we do not recommend treating information from this company with full confidence, and we also do not recommend using the company’s products.

Let me remind you that we wrote that Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp, and also that State Department Offers $1 million for Info on Russian Hackers.

Researchers write that in the first working week of October they discovered the distribution of malicious emails. These messages said that due to the refuse to receive summons for the conscription, the person was called to urgently appear at the appointed place and time. More detailed information is allegedly indicated in the agenda in PDF format, which must be downloaded from the link.

The letter is carefully prepared and looks believable: it contains references to the articles of the Criminal Code of the Russian Federation, the heraldry and style of the relevant department. In the text, the perpetrators threaten the victims with possible fines and criminal liability.

The link to the fake summons leads to an archive with an executable script with the WSF extension. If you open the file, it will fake download and display in the browser a PDF document that mimics the scanned agenda, but in parallel will create the AnalysisLinkManager.exe file in the temporary folder and run it.

It is noted that the malware and techniques used have many similarities with the tools of the XDSpy hack group. In particular, the source code of the malicious WSF script and the launch methods, as well as partially the names of the files, coincide with the versions of previous years.

The goals of XDSpy grouping are espionage, theft of documents and other files, as well as data for accessing corporate mailboxes.

This campaign uses a number of techniques that allow attackers to penetrate and gain a foothold in the system as targeted phishing mailings, imitation of letters from regulators, using the current news agenda, displaying the image that the user expects. This is traditional for XDSpy.comments Andrey Kovtun, Head of the Mail Threat Protection Group at Kaspersky Lab.

We also recall that the best way to survive for Russian soldiers and conscripts who have received a real summons and got into the territory of Ukraine is to surrender to the Ukrainian armed forces.

The post Hacker Group XDSpy Distributes Malware in Russia under the Guise of Subpoenas for the Army appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-group-xdspy/feed/ 0 11025
Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware https://gridinsoft.com/blogs/powershell-rat-malware/ https://gridinsoft.com/blogs/powershell-rat-malware/#respond Wed, 18 May 2022 09:30:50 +0000 https://gridinsoft.com/blogs/?p=7913 An unknown hacker attacked German users who are interested in information about the Russian invasion of Ukraine, infecting them with PowerShell RAT malware (more precisely, a remote access trojan) and stealing their data. Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that… Continue reading Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

]]>
An unknown hacker attacked German users who are interested in information about the Russian invasion of Ukraine, infecting them with PowerShell RAT malware (more precisely, a remote access trojan) and stealing their data.

Let me remind you that we wrote that Hacker groups split up: some of them support Russia, others Ukraine, and also that Shuckworm hackers attack Ukrainian organizations with a new variant of Pteredo backdoor.

This malicious campaign uses a decoy website to lure the user to a fake news article with unreleased information about the situation in Ukraine. The site contains a malicious document that installs a RAT with the ability to remotely execute commands and file operations. The campaign was exposed by Malwarebytes threat analysts who provided all the details and signs of compromise in their report.

The cybercriminal registered a domain for the collaboration-bw[.]de phishing site after the real domain expired and cloned the look and feel of the real site.

A site visitor can find a malicious download called “2022-Q2-Bedrohungslage-Ukraine” with information about the situation in Ukraine.

PowerShell RAT malware

According to the text, the document is constantly updated with new information and the user is strongly advised to download a fresh copy every day. The downloaded ZIP archive contains a CHM file that consists of several compiled HTML files. A fake error message is thrown when opening the file.

At this time, in the background, the file runs PowerShell and Base64 deobfuscator, which leads to the extraction and execution of malicious code from a fake site.

PowerShell RAT malware

As a result, the script downloads two files to the victim’s computer: a RAT in the form of a .txt file and a .cmd file that helps execute malicious code through PowerShell.

The PowerShell RAT hides in Status.txt and begins its malicious operation by collecting basic system information and assigning a unique client ID. The stolen information is then exfiltrated into the German domain kleinm[.]de. To bypass Windows AMSI (Anti-malware Scan Interface), RAT uses an AES encrypted bypass function that will be decrypted immediately using a generated key.

The main features of the RAT are the following:

  1. Download files from C2 server (Command and Control, C&C);
  2. Uploading files to C2 server;
  3. Loading and executing a PowerShell script;
  4. Execution of certain commands.

Malwarebytes does not provide specific examples of the use of RAT in practice, so the goals of the campaign remain unknown.

It is difficult to attribute malicious activity to a specific actor. Based on motivation alone, we surmise that a Russian attacker may be targeting German users, but without clear links in the infrastructure or resemblance to known TTPs.Malwarebytes explains in the report.

The user needs to be careful when downloading files from the Internet, as even well-known and previously trusted websites may have quietly changed owners. When it comes to news sites, the offer to download material in document format can be seen as a potential threat.

The post Germans Interested in the Situation in Ukraine Are Attacked by the PowerShell RAT Malware appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/powershell-rat-malware/feed/ 0 7913
State Department Offers $1 million for Info on Russian Hackers https://gridinsoft.com/blogs/state-department-reward/ https://gridinsoft.com/blogs/state-department-reward/#respond Wed, 27 Apr 2022 11:09:41 +0000 https://gridinsoft.com/blogs/?p=7598 The US State Department has announced a reward amounting up to 10 million dollars for the information about six presumably Russian intelligence agents accused by the US authorities of involvement in the 2017 NotPetya virus hacker attacks. The announcement states that the reward is intended for anyone who can provide information to help identify and… Continue reading State Department Offers $1 million for Info on Russian Hackers

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

]]>
The US State Department has announced a reward amounting up to 10 million dollars for the information about six presumably Russian intelligence agents accused by the US authorities of involvement in the 2017 NotPetya virus hacker attacks.

The announcement states that the reward is intended for anyone who can provide information to help identify and locate any of the people who, acting under command or on behalf of foreign nation-states, participated in attacks on objects of the US critical infrastructure.

The notification specifies that the wanted people are the members of a hacker group known as Sandworm Team, Telebots, Iron Viking, and Voodoo Bear. DC ties the named groups with the infection of computers in the US and other countries with the malware known as NotPetya on June 17, 2017.

Earlier, the FBI has made statements about the hackers’ increased attention to American companies from the start of the Russian invasion of Ukraine. According to information from the Bureau, presumed Russian hackers scanned the networks of five American energy companies and at least 18 US financial and defense-related companies.

Although the US authorities don’t have any direct evidence of Russian threat actors committing an attack on the US, US President Joe Biden said on March 18 that Russia would most likely use its cyber warfare tools, but it was still exploring an attack.

In the context of the Russian invasion of Ukraine, the United States’ war on ransomware has gained features of the international cyber-war. The US has decisively joined forces with European law enforcement to seize servers of Hydra in Germany and arrest the RaidForums administrator Diogo Santos Coelho in Britain. Hydra, the Russian-language darknet black market, and RaidForums, one of the world’s largest hackers’ forum, stopped working.

RELATED: CISA and several other US agencies has made a joint warning about the nation-state threat actors jeopardizing American energy industry using PIPEDREAM malware.

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/state-department-reward/feed/ 0 7598
RuRansom Malware Destroys Data in Russian Systems https://gridinsoft.com/blogs/ruransom-malware-destroys-data-in-russian-systems/ https://gridinsoft.com/blogs/ruransom-malware-destroys-data-in-russian-systems/#respond Mon, 18 Apr 2022 18:55:58 +0000 https://gridinsoft.com/blogs/?p=7341 VMware specialists spoke about the activity of the RuRansom wiper, which attacks Russian systems and deliberately destroys its data, including backups. Unlike ordinary cryptographers who extort ransoms from the victims, the author of RuRansom does not ask for money, but simply intends to cause damage to the Russian Federation. By the way, let me remind… Continue reading RuRansom Malware Destroys Data in Russian Systems

The post RuRansom Malware Destroys Data in Russian Systems appeared first on Gridinsoft Blog.

]]>
VMware specialists spoke about the activity of the RuRansom wiper, which attacks Russian systems and deliberately destroys its data, including backups. Unlike ordinary cryptographers who extort ransoms from the victims, the author of RuRansom does not ask for money, but simply intends to cause damage to the Russian Federation.

By the way, let me remind you that we reported that hacker groups split up: some of them support Russia, others Ukraine.

Back in early March, Trend Micro analysts wrote about RuRansom, who told users and companies about the new anti-Russian viper. According to the company, the malware appeared on February 26 and was created as a destructive software, specifically to destroy the backups and data of the victims.

As VMware experts, who have prepared their own analysis, now say, the viper is written in .NET and spreads like a worm and copies itself as a file with a double doc.exe extension to all removable drives and connected network resources.

RuRansom malware destroys data

After being launched on the victim machine, the malware immediately calls the IsRussia() function, checking the public IP address of the system using a well-known service located at https://api[.]ipify[.]org. RuRansom then uses the IP address to determine the geographic location of the machine using a known geolocation service using the URL format https://ip-api[.]com/#[public ip].

Note: And also, for example, we reported that leaked Conti ransomware source codes were used to attack Russian authorities.

If the target is not in Russia, the malware displays a message on the screen: “Only Russian users can run the program” and stops execution.

If the process is not interrupted, the malware gains administrator privileges using cmd.exe /c powershell start-process -verb runas and proceeds to encrypt data. Encryption applies to all extensions except for .bak files, which are removed. The files are encrypted using the AES-CBC algorithm with a hard-coded salt and a randomly generated base64-length key (“FullScaleCyberInvasion + ” + MachineName).

At the same time, the note left by the malware author in the code and file “Full-scale_cyber-invasion.txt” says that he does not need a ransom, and he wants to harm Russia by avenging the “special military operation” in Ukraine.

There is no way to decrypt your files. No payment, only damage. says the developer in a message.

 

The post RuRansom Malware Destroys Data in Russian Systems appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ruransom-malware-destroys-data-in-russian-systems/feed/ 0 7341
Hacker groups split up: some of them support Russia, others Ukraine https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/ https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/#comments Thu, 10 Mar 2022 11:47:41 +0000 https://gridinsoft.com/blogs/?p=7149 Amid the backdrop of the barbaric invasion of the Russian army into the territory of Ukraine, hacker groups split into two camps: some declared that they supported the actions of the Russian authorities, while others, on the contrary, sided with Ukraine. Bleeping Computer says that there has been a serious split in the hacker community.… Continue reading Hacker groups split up: some of them support Russia, others Ukraine

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

]]>
Amid the backdrop of the barbaric invasion of the Russian army into the territory of Ukraine, hacker groups split into two camps: some declared that they supported the actions of the Russian authorities, while others, on the contrary, sided with Ukraine.

Bleeping Computer says that there has been a serious split in the hacker community.

For example, the administrator of the database and trading platform RaidForums openly stated that he was imposing his own sanctions and blocking access for users from Russia. He made his position clear, saying that he opposes the Kremlin’s actions.

The hacker groups split up

Another RaidForums participant posted an even harsher message as a warning to the “Russians”. He also posted on the forum a database with e-mail addresses and hashed passwords and the fsb.ru domain. Although the authenticity of this information has not yet been verified, the same user previously hosted similar databases for US .mil domains.

The hacker groups split up

Let me remind you that we also said that Anonymous hackers declared war on the Russian government.

At the same time, extortionist groups also took up the opposite sides of the conflict. For example, members of one of the most aggressive hacker groups, Conti, declared “the full support of the Russian government” and threatened to retaliate with cyberattacks against anyone who attacks Russia, promising to use all their resources “to strike back at the enemy’s critical infrastructures.”

A little later, the hackers changed the statement, noting that in doing so they “do not ally with any government, and condemn the ongoing war”.

Another far less well-known hack group, CoomingProject, has also said it will support the Russian government if cyberattacks are directed against the country.

The hacker groups split up

Interesting statistics about the “political position” of various hacker groups are also collected by journalists from The Record. According to them, two more groups have publicly declared their position.

UNC1151, allegedly based in Minsk, supports Russia. This hack group is considered to be Belarusian “government hackers” and is allegedly already working on hacking the emails of Ukrainian military personnel.

The Red Bandits also took the side of Russia. Back on February 22, the group announced on Twitter:

We have hacked the @UkrainePolice DVRs and are monitoring them. If Ukraine does not do what #Russia wants, we will intensify attacks against Ukraine to provoke panic. We will also consider spreading #ransomeware in #UkraineRussiaCrisis #RussiaUcraina #Ukraine.

We also said that the FBI and NSA release a statement about attacks by Russian hackers.

The post Hacker groups split up: some of them support Russia, others Ukraine appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/hacker-groups-split-up-some-of-them-support-russia-others-ukraine/feed/ 1 7149
Anonymous hackers declared war on the Russian government https://gridinsoft.com/blogs/anonymous-hackers-declared-war-on-the-russian-government/ https://gridinsoft.com/blogs/anonymous-hackers-declared-war-on-the-russian-government/#respond Sat, 26 Feb 2022 11:55:22 +0000 https://gridinsoft.com/blogs/?p=7134 A Twitter account associated with the Anonymous hacktivist movement reported that hackers are declaring war on the Russian government over Putin’s invasion of Ukraine. Shortly thereafter, the group claimed responsibility for taking down a number of government websites, the RT website, and the Russian Ministry of Defense. It should be noted that yesterday there were… Continue reading Anonymous hackers declared war on the Russian government

The post Anonymous hackers declared war on the Russian government appeared first on Gridinsoft Blog.

]]>
A Twitter account associated with the Anonymous hacktivist movement reported that hackers are declaring war on the Russian government over Putin’s invasion of Ukraine.

Shortly thereafter, the group claimed responsibility for taking down a number of government websites, the RT website, and the Russian Ministry of Defense.

The Anonymous collective is officially in cyber war against the Russian government. #Anonymous #Ukraine», — the post says.said clinic representatives

It should be noted that yesterday there were indeed problems with access to kremlin.ru, as well as other government resources and banking sites, and RT representatives confirmed that they were under heavy DDoS attacks.

Currently, all of the listed sites are available, and the National Coordination Center for Computer Incidents (NCCC) warned of the threat of “an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure.”

The Record, which also records the escalation of cyberattacks in linkage with the outbreak of a military conflict, noted that the Russian government seems to have taken protective measures. Thus, government sites, including the exclusively military domain mil.ru, have become inaccessible to foreign visitors – resources limit traffic from sources outside of Russia.

Actually, this means that the servers are now configured not to show the content of the site to people trying to access it from another country. Instead, visitors from blocked areas see a “418 I’m a teapot” error.

This error originated as a joke in the late 90s and is not part of any official standard. Usually, these errors are used as a kind of “inside joke” among network administrators to block incoming traffic. In particular, they are used in response to DDoS attacks and attempts to parse sites or APIs to inform attackers that their activities have been detected and actively blocked.

However, soon a merged database of the website of the Russian Ministry of Defence appeared on the network – mil.ru from Zer0Day Lab. Anonymous claimed responsibility for the hack. Please, decide for yourself how successful the attacks against the Russian government are and how ethical it is to leak this data into the network.

Let me remind you that we also wrote that the FBI and NSA release a statement about attacks by Russian hackers, and that Russian-speaking hackers attacked the government infrastructure of Poland.

The post Anonymous hackers declared war on the Russian government appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/anonymous-hackers-declared-war-on-the-russian-government/feed/ 0 7134