Follow on X RSS Feed
Malware

Espionage and Influence Meet Malware in UNC5812's Campaign Against Ukraine

Cybersec Sentinel

2 min read
Espionage and Influence Meet Malware in UNC5812's Campaign Against Ukraine

Threat Group: UNC5812
Threat Type: Hybrid Espionage and Influence Operation
Exploited Vulnerabilities: Android and Windows vulnerabilities, including CVE-2024-47575
Malware Used: SUNSPINNER, PURESTEALER, CRAXSRAT, Pronsis Loader
Threat Score: High (8.5/10) — due to multifaceted espionage and influence tactics targeting military sectors.
Last Threat Observation: October 29, 2024

Overview

UNC5812, a Kremlin-supported threat group, is involved in an espionage and influence campaign that targets Ukrainian military recruits, leveraging both malware delivery and social manipulation. The group uses the "Civil Defense" persona on Telegram to distribute Android and Windows malware under the guise of pro-Ukraine recruitment resources. Through these channels, UNC5812 spreads anti-mobilization narratives and delivers malware such as SUNSPINNER, PURESTEALER, and CRAXSRAT, aiming for data extraction, psychological manipulation, and compromised device control. Malware is disguised as helpful resources for Ukrainian citizens interested in military recruitment, effectively compromising both personal and national security.

Key Details

Delivery Method:
Malware is spread through Telegram, a dedicated website, and phishing links, particularly targeting those interested in military service.

Target:
Primarily Ukrainian military recruits and citizens, with the objective of both disrupting military mobilization and extracting intelligence.

Functions:

  1. Data Exfiltration: Collects and sends sensitive data, including credentials, locations, and real-time keystrokes.
  2. Screen Capture (T1113): Captures device activity screenshots.
  3. Keylogging (T1056.001): Tracks keystrokes to intercept login details.
  4. Command and Scripting Interpreter (T1059): Enables remote command execution on compromised systems.
  5. Exfiltration Over C2 Channel (T1041): Transfers collected data via encrypted channels to avoid detection.

Obfuscation:
The malware employs advanced obfuscation and runtime cloaking techniques, avoiding detection by standard antivirus tools.

Attack Vectors

UNC5812 utilizes Telegram and a website purporting to offer "civil defense" tools, with malware embedded in legitimate-seeming resources. This allows the malware to bypass typical security measures as it infiltrates Android and Windows devices. Once installed, the malware gathers local data, enables remote command execution, and maintains persistent access to the device, feeding data back to UNC5812's command-and-control servers.

Known Indicators of Compromise (IoCs)

File Hashes (MD5):

  • 31cdae71f21e1fad7581b5f305a9d185
  • 4ca65a7efe2e4502e2031548ae588cb8
  • 7ef871a86d076dac67c2036d1bb24c39
  • aab597cdc5bc02f6c9d0d36ddeb7e624
  • b3cf993d918c2c61c7138b4b8a98b6bf

File Hash (SHA1):

  • 9ce3ab0bf4ee52e98fbd94787783ac6962e21304

File Hash (SHA256):

  • b4f7414f3c6de7cad88c4178ecfc8201d123fb6db9a5ecd8053f7750757d154e

Defanged IPs:

  • 185[.]169[.]107[.]44
  • 206[.]71[.]149[.]194

Mitigation and Prevention

  1. User Awareness: Inform users about phishing risks, especially on platforms like Telegram.
  2. Endpoint Security: Employ endpoint detection for signatures related to SUNSPINNER, PURESTEALER, and CRAXSRAT.
  3. Content and Email Filtering: Implement strict filtering on email and network traffic to monitor for suspicious content related to military recruitment.
  4. Antivirus and EDR Solutions: Deploy antivirus and Endpoint Detection and Response solutions capable of detecting and blocking UNC5812's malware.
  5. Network Monitoring: Examine network traffic for suspicious communication with known IoC IPs and domains.
  6. Regular Updates and Patching: Apply security patches for Android and Windows devices, especially for CVE-2024-47575.

Conclusion

UNC5812’s hybrid espionage efforts combine both psychological and technological tactics, posing significant threats to Ukrainian defense operations and public morale. By distributing Android and Windows malware via social engineering, UNC5812 maintains a multifaceted approach, directly targeting Ukrainian military interests. Continuous monitoring and rapid response are vital to defend against this evolving threat.

Sources