Turla’s New DeliveryCheck Backdoor Violates Ukraine’s Defense Sector
The defense sector in Ukraine and Eastern Europe has been targeted by a new .NET based backdoor called Check Shipping (aka CAPIBAR or GAMEDAY) capable of delivering next-stage payloads.
Microsoft’s threat intelligence team, at collaboration with the Ukraine Computer Emergency Response Team (CERT-UA), linked the attack to a Russian nation-state actor known as Turla, who was also tracked under the names Iron Hunter, Secret Blizzard (formerly Krypton), Uroburos, Venomous Bear, and Waterbug. It is associated with the Russian Federal Security Service (FSB).
“DeliveryCheck is distributed by e-mail as a document with malicious macros,” the company said said in a series of tweets. “It persists via a scheduled task that downloads and launches it in memory. It also contacts the C2 server to retrieve the task, which can include launching an arbitrary payload embedded in an XSLT style sheet.”
Successful early access in some cases was also accompanied by a known Turla implant distribution named Kazuar, which is equipped to steal application configuration files, event logs, and various data from web browsers.
The ultimate goal of this attack is to extract messages from the messaging application Signal for Windows, allowing adversaries to access sensitive conversations, documents, and images on the targeted system.
An important aspect of DeliveryCheck is its ability to penetrate Microsoft Exchange servers to install server-side components using the PowerShell Desired State Configuration (DSC), a PowerShell management platform that helps administrators automate Windows system configurations.
“DSC generates Managed Object Format (MOF) which contains a PowerShell script that loads an embedded .NET payload into memory, effectively turning any legitimate server into a C2 malware hub,” Microsoft said.
Protecting Against Insider Threats: SaaS Master Security Posture Management
Worried about insider threats? We are here to help you! Join this webinar to explore practical strategies and secrets to proactive security with SaaS Security Posture Management.
The revelation came as the Ukrainian Cyber Police dismantled a large bot farm of over 100 people suspected of spreading hostile propaganda justifying the Russian invasion, leaking personal information belonging to Ukrainian citizens, and being involved in various fraudulent schemes.
As part of the operation, searches were carried out in 21 locations, resulting in the confiscation of computer equipment, cell phones, more than 250 GSM gateways and around 150,000 SIM cards belonging to various cellular operators.
