CERT-UA warned of a possible cyber attack

CERT-UA предупредил о возможной кибератаке

Response team computer emergency events CERT-UA warned about possible cyber attacks on computer systems of Ukraine.

This was informed in the press service of CERT-UA.

“CERT-UA in conjunction with the foreign intelligence Service of Ukraine has detected a new modification of the malicious software type Pterodo on computers of government bodies of Ukraine that, probably, is a preparatory stage for conducting cyber attacks. The virus collects data about the system, regularly sends them to command-and-control servers and waits for further commands”, — stated in the message.

Version NEW-SAR_v.14

The main difference of the modification from previous version is the possibility of infection of the system through flash drives and other removable media, and infection of flash drives connected to the affected computer for further distribution.

Documents (.doc .docx), image (.jpg) and text files (.txt) copied to a hidden folder MacOS with the FILE names <arbitrary number> <extension> (for example, FILE3462.docx), and on a flash drive creates shortcuts with the original file names, which ensure the simultaneous opening of copied in the MacOS folder of the original file and run the generated malicious file usb.ini.

The body of the virus all version functions the same as the previous version: sends information about the system, renewing and refreshing itself and in the presence of load components.

In addition, this version is activated only in systems with localization of languages in the post-Soviet States, namely: Ukrainian, Belarusian, Russian, Armenian, Azerbaijani, Uzbek, Tatar and others. This complicates the analysis of popular automatic virus systems malware analysis.

Version arm_02.10

The main difference is display a message if file activation, which does not allow to understand what this start the malicious program.

In addition, in this version for each affected system has an individual url-directory with the serial number of the drive on which the system is installed (for example, bitsadmin.ddns[.]net/00000/setup.exe where “00000” serial number, indicating that the attackers analyze the received information about the infected system and individually for each system determine what new apps to download and run).

CERT-UA предупредил о возможной кибератаке

Photo: cert.gov.ua

“Handwriting” of malicious software is typical for a targeted APT attacks and may indicate the preparation of a targeted cyber attack on the computer system of Ukraine. Backdoor Pterodo sets up the hidden access to computer systems for the use or control in the future, which may lead to leakage of information, to block the operation of, data encryption and other malicious actions”, — emphasized in CERT-UA.

The harmful domains and IP (C2):

Version: NEW-SAR_v.14:

hxxp://updates-spreadwork[.]pw domain as 13.11 was not active.

Version: arm_02.10:

hxxp://dataoffice.zapto[.]org
hxxp://bitsadmin.ddns[.]net.

The domains are registered to the service provider dynamic domain (DDNS) that lets you quickly change IP address and hide the real owner of the domain.

Malicious files:

Version: NEW-SAR_v.14:

AdobeNetwork.exe (On flash drives – usb.ini)
ImagingDevices.exe
winhost.cmd
doc.lnk
jpg.lnk
txt.lnk
Softwarelink.lnk
flash.vbs

Which directories are these files:

Windows 7 TA 10

%APPDATA%Adobe
%APPDATA%MicrosoftWindowsStart MenuProgramsStartup

WinXP

%WINDIR%Adobe
%USERPROFILE%start menuProgrammistartup

For all OS:

%TMP%7zSfz000

Version: arm_02.10:

“Microsoft Office Document Word.com”
“Cookie.exe”
“cookies.vbs”
“Cookies.sys”
“document.rar”
“CookiesERR.cmd”
macupdates.exe (for each system may be unique, the same only the name).

Directories that host malicious files:

%APPDATA%LocalTemp7ZipSfx.001
%APPDATA%LocalTemp7ZipSfx.000
%USERPROFILE%CookiesERR
%APPDATA%MicrosoftIE
%APPDATA%MicrosoftWindowsStart MenuProgramsStartup
%USERPROFILE%

Countermeasures for virus removal:

— to scan by the antivirus.

— check the above directory for files. Upon detection of a file – need to delete them from the directory;

— check the task scheduler for the indicated records (must delete):

CERT-UA предупредил о возможной кибератаке

Photo: Screenshot

Recommendations for the prevention of threats:

— to ensure the prohibition of opening attachments in suspicious messages (the emails from the senders on which the questions arise: for example, the author for unknown reasons, changed the language of communication; the subject is atypical for the author; how the author addresses to the addressee, is atypical, etc.), as well as messages with custom text, encouraging the transition on suspicious links or open suspicious files;

— disable autorun removable media (flash drives) and to check their antivirus when connected;

— in the presence of suspicious emails from known to the addressee over the phone (or any other method) to verify the sending of the letter. If not confirmed — save it to disk, archived and forwarded for investigation to CERT-UA;

— be vigilant for any unusual situations (e.g., when the message is displayed by the operating system about the impossibility to open a file, you need to install software, request for permission to perform the operation);

— must be disconnected from the Internet a suspicious device for further verification;

— disable encryption, if enabled;

— check the disable macros in Microsoft Office Word;

— you need to use the antivirus with the updated bases of signatures and license, updated operating system and software;

regularly backup important files, update the access passwords to important systems and to scan with system antivirus.

HELP. Response team computer emergency events in Ukraine (eng. The Computer Emergency Response Team of Ukraine CERT-UA) is a specialized structural subdivision of the national centre of cyber defence and combating cyber threats Public service of special communication and information protection of Ukraine. Founded in 2007.

Share Button

Leave a Reply

avatar
  Subscribe  
Notify of