FortiGuard Labs is aware of a report from CERT-UA that Ukrainian organizations are under cyberattacks that aim to install a publicly available backdoor named “MicroBackdoor.” The cyberattacks are attributed to APT group “UAC-0051”, also known as unc1151, who has reportedly acted for Belarusian government’s interests in the past.Why is this Significant?This is significant because, according to CERT-UA, Ukraine organizations were attacked by an APT group whose past activities are said to be aligned with Belarusian government’s interests.What’s the Detail of the Attack?Unfortunately, the initial attack vector is unknown. What’s known is that the victims received “dovidka.zip”, which contains “dovidka.chm”. The CHM file contains two files. An image.jpg is an image file used as a decoy. Another file is file.htm, which creates “ignit.vbs”. The VBS file decodes three files: “core.dll,” “desktop.ini” and “Windows Prefetch.lnk.” The LNK file launches the INI file using wscript.exe. Then, the INI file runs the DLL using regasm.exe. The core.dll is a .NET loader that decodes and executes MicroBackdoor on the compromised machine.What is MicroBackdoor?MicroBackdoor is a publicly available backdoor that receives commands from a Command and Control (C2) server and performs various activities.According to the description on the MicroBackdoor repository”Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs.”What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against available files involved in the attack:PossibleThreat.PALLAS.HVBS/Agent.OVE!trLNK/Agent.7AB4!trAll network IOCs are blocked by the WebFiltering client.
More Stories
ZDI-CAN-25373: Microsoft
A CVSS score 7.0 AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus - Trend Micro Zero Day Initiative' was reported to...
DSA-5774-1 ruby-saml – security update
It was discovered that ruby-saml, a SAML library implementing the client side of a SAML authorization, does not properly verify...
USN-6968-2: PostgreSQL vulnerability
USN-6968-1 fixed CVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16 This update provides the corresponding updates for PostgreSQL-9.5 in Ubuntu 16.04 LTS....
USN-7015-2: Python vulnerabilities
USN-7015-1 fixed several vulnerabilities in Python. This update provides one of the corresponding updates for python2.7 for Ubuntu 16.04 LTS,...
USN-7027-1: Emacs vulnerabilities
It was discovered that Emacs incorrectly handled input sanitization. An attacker could possibly use this issue to execute arbitrary commands....
USN-7024-1: tgt vulnerability
It was discovered that tgt attempts to achieve entropy by calling rand without srand. The PRNG seed is always 1,...