Suspected UNC 1151 Attacks as Ukraine Conflict Continues
April 1, 2022
- phishing campaign
April 1, 2022
UNC1151 is a suspected state-sponsored hacking group with an Eastern European background. Their first known activity was linked to the Ghostwriter attacks that were reported by Mandiant in 2020. The "Ghostwriter" campaign, which began around March 2017, targeted countries such as Lithuania, Latvia, and Poland, where attackers spread content with anti-NATO stances, often using fake email accounts to spread content, including fake letters from military officials.
In February 2022, following the outbreak of the Russian-Ukrainian conflict, the Ukrainian Computer Emergency Response Team (CERT-UA) and the State Agency for Special Communications and Information Protection of Ukraine (SSCIP Ukraine) issued an email alert for extensive Phishing campaigns by UNC1151 targeting private email accounts of members of the Ukrainian armed forces.
A sample file in relation to this incident was obtained by CERT-UA and as named довідка.zip, "довідка" means "certificate" in Ukrainian, and inside of the compressed package is dovidka.chm, the full name of chm is Compiled Help Manual, which is Microsoft's new generation of help file format, using HTML as the source, the help content is compiled and stored in a database-like form, that is also compiled and saved in a compressed HTML format. When we double-click this file, Microsoft by default uses the HTML helper to open and display the relevant content.
“file.htm” was found to contain two pieces of code, one, a JS code, which is used to display the bait content. The other was disguised VBS code which ultimately execute a MicroBackDoor Malware. Capabilities of this malware include conventional remote-control functions such as obtaining local information, executing programs, rebounding shells, uploading and downloading files, etc.
With the ongoing situation between Ukraine and Russia we can be sure that there will be an increase of attacks by APT groups using news or issues around the Ukraine-Russia situation as bait for their targets. Some steps your organization can take to minimize attacks from this organization are: