Check Point Research (CPR) has documented threat groups using conflicting documents Russias/Ukraine to spread malware and lure victims into global cyber espionage. Depending on the targets and the region, attackers use official-looking documents, even news articles and job advertisements, as bait.
CPR believes that the motive behind these recent campaigns is cyber espionage, for the theft of sensitive information from governments, banks and energy companies. Threat groups and their victims are not concentrated in one area, but cover the whole world, including Latin America, the Middle East and Asia.
In a new post, CPR presents the profiles of three APT teams, named El Machete, Lyceum and Sidewinder, who were recently spotted spear-phishing campaigns in five countries. The following table summarizes the origin, target sector, and target countries of each APT group.
| APT name | APT origin | Target Sector | Target countries |
| The Machete | Spanish speaking country | Economic, Governmental | Nicaragua, Venezuela |
| Lyceum | Islamic Republic of Iran | Energy | Israel, Saudi Arabia |
| SideWinder | Probably India | Unknown | Pakistan |
Malware features
The CPR studyin the malware that each of the three APT groups contained, specifically for these cyber espionage activities. Features include:
- Keylogging: steals what you enter using the keyboard
- Credentials Collection: collects credentials stored in Chrome and Firefox browsers
- File collection: collects file information on each drive and collects filenames and file sizes, allowing specific files to be stolen
- Snapshot screen(Screenshot)
- Data collection from the clipboard
- Execute commands
Attack methodologies
- Spear-phishing email with text about Ukraine
- Attached Word document with article about Ukraine
- Malicious macro inside the document throws a sequence of files
- Download malware on your computer
Lyceum
- Email with content related to war crimes in Ukraine and a link to a malicious document hosted on a website
- The document executes a macro code when the document is closed
- The Exe file is stored on the computer
- The next time you restart your computer, the malware is running
SideWinder
- The victim opens the malicious document
- When opened, the document retrieves a remote template from a controlled server
- The external template downloaded is an RTF file, which exploits vulnerability CVE-2017-11882
- The malware has been installed on the victim's computer
El Machete
Machete was seen sending spear-phishing messages to financial institutions in Nicaragua, with an attached Word document entitled "Dark Plans of the Neo-Nazi Regime in Ukraine." The document contained an article written and published by Alexander Khokholikov, the Russian ambassador to Nicaragua, discussing the Russian-Ukrainian conflict from the Kremlin's perspective.
Image 1 - Bait document containing an article on the Russia-Ukraine conflict, sent by the El Machete APT to Nicaraguan financial institutions.
Lyceum
In mid-March, an Israeli energy company received an email from management inews-reporter @ protonmail [.] com on "Russian war crimes in Ukraine". The email contained some photos taken from public media sources and contained a link to an article hosted on the news-spot [.] Live domain. The link to the email leads to a document containing the article "Investigators gather information on possible Russian war crimes in Ukraine" published by the Guardian. The same domain hosts some more malicious documents related to Russia as well as the Russia-Ukraine war, such as a copy of a 2020 Atlantic Council article on Russian nuclear weapons and a job advertisement for an "Extraction / Protective Agent ”agent in Ukraine.
Image 2. Bait-email using the subject of the Russia-Ukraine conflict, sent by the Lyceum team
Image 3 - Bait documents related to the Russia-Ukraine war used by the APT team Lyceum
Sidewinder:
The malicious Sidewinder document, which also takes advantage of the Russia-Ukraine war, was uploaded to VirusTotal (VT) in mid-March. Judging by its content, the desired targets are Pakistani entities. The bait document contains an archive of the Bahria University's National Institute of Maritime Affairs in Islamabad and is entitled "Discussion on the Impact of the Russia-Ukraine Conflict on Pakistan." This malicious document uses remote template input. When opened, the document retrieves a remote template from a controlled server from attackers.
Image 4 - Bait document related to the Russia-Ukraine war, by Sidewinder APT
Comment by Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software:
“Right now, we're seeing a variety of APT campaigns using the Russia-Ukraine war to distribute malware. The campaigns are highly targeted and sophisticated, focusing on the government, financial and energy sectors. In our latest report, we profile and provide examples of three different APT groups, all from different parts of the world, that we identified orchestrating these spear-phishing campaigns. We carefully studied the malware involved and found features that cover keystroke logging, taking screenshots, and more. I strongly believe that these campaigns are designed with cyber espionage as the main motive. Our findings reveal a clear trend that the war between Russia and Ukraine is a decoy used by threat groups worldwide. I strongly recommend that governments, banks and energy companies step up to raise awareness and educate their employees about cyber security and implement cyber security solutions that protect network them at all levels".
The latest figures on cyber-attacks in Ukraine, Russia and NATO countries
Recently, Check Point Research (CPR) published an update on the trends of cyber attacks during the current Russia-Ukraine war. One month after the start of the war on February 24, 2022, both Russia and Ukraine saw increases in cyber attacks by 10% and 17% respectively.
CPR has also seen a 16% increase in cyber attacks worldwide throughout the current conflict and presents cyber attack data for countries, NATO regions and more here.
