MicroBackdoor Used in Attacks Against Ukraine Organizations

Description

FortiGuard Labs is aware of a report from CERT-UA that Ukrainian organizations are under cyberattacks that aim to install a publicly available backdoor named "MicroBackdoor." The cyberattacks are attributed to APT group "UAC-0051", also known as unc1151, who has reportedly acted for Belarusian government's interests in the past.


Why is this Significant?

This is significant because, according to CERT-UA, Ukraine organizations were attacked by an APT group whose past activities are said to be aligned with Belarusian government's interests.


What's the Detail of the Attack?

Unfortunately, the initial attack vector is unknown. What's known is that the victims received "dovidka.zip", which contains "dovidka.chm". The CHM file contains two files. An image.jpg is an image file used as a decoy. Another file is file.htm, which creates "ignit.vbs". The VBS file decodes three files: "core.dll," "desktop.ini" and "Windows Prefetch.lnk." The LNK file launches the INI file using wscript.exe. Then, the INI file runs the DLL using regasm.exe. The core.dll is a .NET loader that decodes and executes MicroBackdoor on the compromised machine.


What is MicroBackdoor?

MicroBackdoor is a publicly available backdoor that receives commands from a Command and Control (C2) server and performs various activities.


According to the description on the MicroBackdoor repository

"Micro Backdoor client supports 32-bit and 64-bit versions of Windows XP, Vista, 7, 8, 8.1, 10, Server 2003, Server 2003 R2, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Server 2016 and Server 2019 of any editions, languages and service packs."


What is the Status of Coverage?

FortiGuard Labs provide the following AV coverage against available files involved in the attack:


PossibleThreat.PALLAS.H

VBS/Agent.OVE!tr

LNK/Agent.7AB4!tr


All network IOCs are blocked by the WebFiltering client.

Appendix

CERT-UA#4109 (CERT-UA)