Ukraine: what is this destructive malware disguised as ransomware?

The crisis between Russia and Ukraine is not new. Its origin is historical but accelerated with the events of 2014, which correspond to the annexation of Crimea by Russia. Tension is particularly high in the Donbass region. A tendency to thaw had been felt with the arrival of Volodymyr Oleksandrovytch Zelensky to power in 2019, including the signing of ceasefire agreements in 2020, but the hope was short-lived.

These factors added to a more global context, such as the arrival of Joe BIDEN to power, who is pro-Ukrainian and wants Ukraine to join NATO (which strongly displeases Russia) explain the mobilization of Russian military troops and the escalation of violence in recent months.

Despite an attempt at dialogue between the United States, Europe and Russia, the tension remains. Ukraine is indeed subject to large-scale cyberattacks, paralyzing government agencies (70 government sites), national education sites … no data leakage is to be deplored for the moment.

Ukraine accuses Russia, which denies any involvement in these cyberattacks.
The attack mentioned in this article is based on a Microsoft publication [1].

It takes the form of a disguised ransomware, which, instead of reversibly encrypting with a ransom demand, renders computers inoperable.

Summary

What are we talking about?

This attack is composed of several steps (“stage”):

Stage 1

The first stage aims at trapping the MBR of the machine, and, at the next reboot, destroys the data on the disk.

Stage 2

Before starting its action, this binary launches a obfuscated powershell command in order to delay the malicious action by a few seconds, probably to evade security products.

In decoding, it looks like a sleep: Start-Sleep -s 10

Then, it will try to download a third stage via the Discord CDN (free written/voice messaging software for the public) in the form of a JPG, whose URL is hardcoded in the binary of the second stage:

https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg

Stage 3

This JPG, which is not a JPG, is in fact the obfuscated stage3. Indeed, the deobfuscated stage3 seems to be a dll with two functions:

  • disable Windows Defender
  • corrupt files of some extensions by overwriting part of their content:
    .3DM .3DS .7Z .ACCDB .AI .ARC .ASC .ASM .ASP .ASPX .BACKUP .BAK .BAT .BMP .BRD .BZ .BZ2 .CGM .CLASS .CMD .CONFIG .CPP .CRT .CS .CSR .CSV .DB .DBF .DCH .DER .DIF .DIP .DJVU.SH .DOC .DOCB .DOCM .DOCX .DOT .DOTM .DOTX .DWG .EDB .EML .FRM .GIF .GO .GZ .HDD .HTM .HTML .HWP .IBD .INC .INI .ISO .JAR .JAVA .JPEG .JPG .JS .JSP .KDBX .KEY .LAY .LAY6 .LDF .LOG .MAX .MDB .MDF .MML .MSG .MYD .MYI .NEF .NVRAM .ODB .ODG .ODP .ODS .ODT .OGG .ONETOC2 .OST .OTG .OTP .OTS .OTT .P12 .PAQ .PAS .PDF .PEM .PFX .PHP .PHP3 .PHP4 .PHP5 .PHP6 .PHP7 .PHPS .PHTML .PL .PNG .POT .POTM .POTX .PPAM .PPK .PPS .PPSM .PPSX .PPT .PPTM .PPTX .PS1 .PSD .PST .PY .RAR .RAW .RB .RTF .SAV .SCH .SHTML .SLDM .SLDX .SLK .SLN .SNT .SQ3 .SQL .SQLITE3 .SQLITEDB .STC .STD .STI .STW .SUO .SVG .SXC .SXD .SXI .SXM .SXW .TAR .TBK .TGZ .TIF .TIFF .TXT .UOP .UOT .VB .VBS .VCD .VDI .VHD .VMDK .VMEM .VMSD .VMSN .VMSS .VMTM .VMTX .VMX .VMXF .VSD .VSDX .VSWP .WAR .WB2 .WK1 .WKS .XHTML .XLC .XLM .XLS .XLSB .XLSM .XLSX .XLT .XLTM .XLTX .XLW .YML .ZIP

There are still doubts about the precise intentions of this malware.

TEHTRIS recommendations

Against these threats, TEHTRIS recommends to all its customers and all readers of this article, as advised by Microsoft to:

  1. Check in its EDR/EPP logs all the executions in the directories C:\PerfLogs, C:\ProgramData, C:\, and C:\temp, that have been seen to carry this threat. Unless there is a park-related exception, these path should contain very few legitimate executions.

    Also, you can check the following filenames: stage1.exe, stage2.exe, Tbopbh.* .

    In general, thanks to the different modules of the TEHTRIS EDR (powershell detection, Sandbox, …), even if the threat was not known, it would have been detected and even remedied depending on the configuration applied.

  2. Check in the SIEM logs, for example proxy, the URL of the Discord CDN:
    https://cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg

    Since the Discord CDN can be used as an intermediary to download malicious content[2],, if it is not useful in your company, you may consider simply blocking this URL from certain networks (e.g. from the servers’ network if they have Internet access).

If you have an instance of TEHTRIS DNS Firewall, it can be used for both investigation and blocking if desired.

TEHTRIS is monitoring the threat closely and will update the article if new developments become known.

IOC

Type

Description

Objet

SHA256     

stage 1

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

SHA256     

Stage 2

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

SHA256     

Tbopbh.jpg (stage3, obfusqué)

923eb77b3c9e11d6c56052318c119c1a22d11ab71675e6b95d05eeb73d1accd6

SHA256   

frkmlkdkdubkznbkmcf.dll (stage3, decodé)

9ef7dbd3da51332a78eff19146d21c82957821e464e8133e9594a07d716d892d

URL

 

https[:]//cdn.discordapp[.]com/attachments/928503440139771947/930108637681184768/Tbopbh.jpg

Chemin        

 

C:\PerfLogs

Chemin        

 

C:\

Chemin        

 

C:\ProgramData

Chemin        

 

C:\temp

Nom de fichier

 

Tbopbh.*

Nom de fichier

 

Stage1.exe

Nom de fichier

 

Stage2.exe

Nom de fichier

 

frkmlkdkdubkznbkmcf.dll 

Ligne de commande

 

powershell -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMQAwAA==

Cyber or not Cyber ?

Subscribe to the TEHTRIS newsletter.

Once a month, get the latest cyber news by subscribing to the TEHTRIS newsletter.

To explore the subject

Similar publications

Cyber or not cyber ?

Once a month, receive the essential news and cyber watch by subscribing to the TEHTRIS newsletter.