MVISION Insights: UAC-0056 Threat Group targeting Ukraine with GraphSteel and GrimPlant malware
Technical Articles ID:
KB95691
Last Modified: 5/19/2022
Last Modified: 5/19/2022
Environment
IMPORTANT: This Knowledge Base article discusses a specific threat that is being automatically tracked by MVISION Insights technology. The content is intended for use by MVISION Insights users, but is provided for general knowledge to all customers. Contact us for more information about MVISION Insights.
Summary
Description of Campaign
The UAC-0056 threat group targeted Ukraine entities with spear-phishing emails with a malicious attachment. Activating the macro in the COVID-related attachment resulted in systems being infected with variants from the GraphSteel and GrimPlant malware families. The malware can gather and exfiltrate sensitive information to actor-controlled command and control servers.
Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Ukraine CERT-UA and shared publicly.
How to use this article:Threat Hunting
This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
Campaign IOC
Minimum Content Versions
Detection Summary
Minimum set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Host Intrusion Prevention:
Aggressive set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
VirusScan Enterprise - Access Protection Rules:
Host Intrusion Prevention:
The UAC-0056 threat group targeted Ukraine entities with spear-phishing emails with a malicious attachment. Activating the macro in the COVID-related attachment resulted in systems being infected with variants from the GraphSteel and GrimPlant malware families. The malware can gather and exfiltrate sensitive information to actor-controlled command and control servers.
Our ATR Team gathers and analyzes information from multiple open and closed sources before disseminating intelligence reports. This campaign was researched by Ukraine CERT-UA and shared publicly.
How to use this article:
- If a Threat Hunting table has been created, use the rules contained to search for malware related to this campaign.
- Review the product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page. - Scroll down and review the "Product Countermeasures" section of this article. Consider implementing them if they are not already in place.
- Review
KB91836 - Countermeasures for entry vector threats . - Review KB87843 - Dynamic Application Containment rules and best practices.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event.
meta: author = "Felix Bilstein - yara-signator at cocacoding dot com" date = "2022-04-08" version = "1" description = "Describes win.grimplant." info = "autogenerated rule brought to you by yara-signator" tool = "yara-signator v0.6.0" signator_config = "callsandjumps;datarefs;binvalue" malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.grimplant" malpedia_rule_date = "20220405" malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a" malpedia_version = "" malpedia_license = "CC BY-SA 4.0" malpedia_sharing = "TLP:WHITE" /* DISCLAIMER * The strings used in this rule have been automatically selected from the * disassembly of memory dumps and unpacked files, using YARA-Signator. * The code and documentation is published here: * https://github.com/fxb-cocacoding/yara-signator * As Malpedia is used as data source, please note that for a given * number of families, only single samples are documented. * This likely impacts the degree of generalization these rules will offer. * Take the described generation method also into consideration when you * apply the rules in your use cases and assign them confidence levels. */ strings: $sequence_0 = { ffd1 488b4c2420 48f7c160000000 b900000000 ba20000000 480f45ca 4881c994000000 } // n = 7, score = 100 // ffd1 | lea edi, dword ptr [eax + 0x18] // 488b4c2420 | dec eax // 48f7c160000000 | mov ecx, dword ptr [esp + 0x5b0] // b900000000 | jne 0xcd8 // ba20000000 | dec eax // 480f45ca | mov ecx, dword ptr [esp + 0xb8] // 4881c994000000 | dec eax $sequence_1 = { eb1c 488b9424d8000000 488d4a01 488b8424c8000000 488b9c2418010000 48898c24d8000000 488b5028 } // n = 7, score = 100 // eb1c | mov ebx, 2 // 488b9424d8000000 | mov ecx, 6 // 488d4a01 | dec eax // 488b8424c8000000 | mov esi, dword ptr [esp + 0xa0] // 488b9c2418010000 | jge 0xa0 // 48898c24d8000000 | nop dword ptr [eax] // 488b5028 | dec eax $sequence_2 = { eb0e 488d3d22406e00 31c0 e8???????? 440f113d???????? 833d????????00 750d } // n = 7, score = 100 // eb0e | cmp byte ptr [eax], 0x31 // 488d3d22406e00 | jne 0x4d1 // 31c0 | jne 0x1ad // e8???????? | // 440f113d???????? | // 833d????????00 | // 750d | dec eax $sequence_3 = { 660f3a0fff08 66450f3a0fd20c 4c0317 4c135f08 4983d401 488b4500 4989c7 } // n = 7, score = 100 // 660f3a0fff08 | mov dword ptr [esp + 0x18], edx // 66450f3a0fd20c | dec eax // 4c0317 | lea edi, dword ptr [0x54a8d4] // 4c135f08 | nop dword ptr [eax] // 4983d401 | jmp 0xa6b // 488b4500 | dec eax // 4989c7 | lea edx, dword ptr [0xb1972] $sequence_4 = { 4c8d4e01 6690 4c39cf 7334 488d05143c3300 4c89c3 4889f1 } // n = 7, score = 100 // 4c8d4e01 | jne 0x12ed // 6690 | dec eax // 4c39cf | mov ecx, dword ptr [esp + 0x28] // 7334 | dec eax // 488d05143c3300 | mov eax, dword ptr [esp + 0x30] // 4c89c3 | dec eax // 4889f1 | lea ecx, dword ptr [0x45cfe0] $sequence_5 = { e9???????? 488d05bc6d1700 e8???????? 488d0db0022800 488908 833d????????00 750e } // n = 7, score = 100 // e9???????? | // 488d05bc6d1700 | dec eax // e8???????? | // 488d0db0022800 | mov eax, ecx // 488908 | dec eax // 833d????????00 | // 750e | lea ecx, dword ptr [0x535463] $sequence_6 = { ffd6 488b4c2460 488b8980000000 488b442468 31db 31ff 4889ca } // n = 7, score = 100 // ffd6 | dec eax // 488b4c2460 | mov dword ptr [eax + 0x30], edx // 488b8980000000 | jmp 0x1241 // 488b442468 | dec eax // 31db | lea edi, dword ptr [eax + 0x30] // 31ff | nop // 4889ca | jne 0x1245 $sequence_7 = { e9???????? 4889c8 4889fb 4889d1 e8???????? 488b4c2478 4839cb } // n = 7, score = 100 // e9???????? | // 4889c8 | dec eax // 4889fb | mov edi, dword ptr [esp + 0x18] // 4889d1 | dec eax // e8???????? | // 488b4c2478 | cmp dword ptr [edx + 0x10], 0 // 4839cb | jne 0x97d $sequence_8 = { eb0d 4889c7 488b4c2428 e8???????? 31c0 31db 488b6c2448 } // n = 7, score = 100 // eb0d | lea eax, dword ptr [0x1f4d97] // 4889c7 | dec eax // 488b4c2428 | mov dword ptr [eax + 8], 0x50 // e8???????? | // 31c0 | jne 0x33d // 31db | nop // 488b6c2448 | dec eax $sequence_9 = { e9???????? 4889d6 e8???????? 488b4c2458 4839c8 773e 488b742450 } // n = 7, score = 100 // e9???????? | // 4889d6 | dec eax // e8???????? | // 488b4c2458 | mov ecx, dword ptr [esp + 0x20] // 4839c8 | dec eax // 773e | lea edi, dword ptr [ecx + 0x40] // 488b742450 | jne 0xb6e condition: 7 of them and filesize < 19940352 } |
This Knowledge Base article discusses a specific threat that's being tracked. The list of IOCs will change over time; check MVISION Insights for the latest IOCs.
Minimum Content Versions
Detection Summary
Minimum set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
Endpoint Security - Advanced Threat Protection:
Rule ID: 4 Use GTI file reputation to identify trusted or malicious files
Host Intrusion Prevention:
Rule ID: 6113 T1055 - Fileless Threat: Reflective Self Injection
Rule ID: 6083 PowerShell Command Restriction - NonInteractive
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 6070 Hidden PowerShell Detected
Rule ID: 6083 PowerShell Command Restriction - NonInteractive
Rule ID: 6081 PowerShell Command Restriction - NoProfile
Rule ID: 6070 Hidden PowerShell Detected
Aggressive set of Manual Rules to improve protection to block this campaign:
IMPORTANT: Always follow best practices when you enable new rules and signatures.
When you implement new rules or signatures, always set them to Report mode first and check the alerts generated. Resolve any issues that arise and then set the rules to Block. This step mitigates against triggering false positives and allows you to refine your configuration.
For more information, see KB87843 - List of and best practices for Endpoint Security Dynamic Application Containment rules.
VirusScan Enterprise - Access Protection Rules:
Prevent creation of new executable files in the Windows folder
Host Intrusion Prevention:
Rule ID: 6010 Generic Application Hooking Protection
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 412 Double File Extension Execution
Rule ID: 1020 Windows Agent Shielding - File Access
Rule ID: 6011 Generic Application Invocation Protection
Rule ID: 1148 CMD Tool Access by a Network Aware Application
Rule ID: 412 Double File Extension Execution
