Jamf Blog

March 16, 2022 by Nikolaos Bloukos

Jamf Threat Labs research findings on cyber-warfare between Russia and Ukraine

Security, Jamf Threat Labs

As the war between Russia and Ukraine continues, cybersecurity researchers identify the malicious threats that are occurring as cyber warfare unfolds. Virtually unseen by most, but affecting many, as malware variants, phishing campaigns, advanced persistent threats (APTs) and command & control (C2) attacks are unleashed, threatening to compromise the security of users on both sides.

Since the time that Russia invaded Ukraine, there's been a sharp rise in malicious attacks with a variety of different types of cyberattacks being distributed via differing methods. Namely, the HermeticWiper malicious campaign, which is a Denial of Service (DoS) type of attack. A sophisticated malware family that is designed to destroy data and render affected systems inoperable.

Follow-up variants include the IsaacWiper, HermeticWizard and HermeticRansom. These variants have been modified from their original source code to add worm-like functionality, allowing them to propagate by searching through local networks to detect additional hosts to infect.

Additional attacks, such as the Asylum Ambuscade malicious campaign, are being seen as likely being a nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine, as reported by Proofpoint.

Jamf Threat Labs Investigation

Expansion of HermeticWiper C2 network infrastructure

In addition to the threats mentioned previously, fragments of infrastructure details appear to indicate that the attacks being seen are a continuation of, or expansion to, the current campaign. The C2 server's IP address was initially reported as: 94.158.244.27, though after reversing it, Jamf Threat Labs identified the following Second-Level Domains (SLD) and Fully-Qualified Domain Names (FQDN):

decent.delayed.coagula.online decidedly.descend.coagula.online deceived.coagula.online descend.coagula.online deed.coagula.online delve.coagula.online deserts.deceived.coagula.online delayed.coagula.online destroyed.tortunas.ru deluge.destroyed.tortunas.ru dentist.coagula.online upload-lk.hopto.org deceived.deceive.coagula.online aaa.tortunas.ru defect.deceive.coagula.online upload-dt.hopto.org deserved.coagula.online seeuare.com linjkjlklod.sbs phymateus.online tortunas.ru

After further investigation into those twenty-one SLDs and FQDNs, several of those resolved to the following IP address: 94.158.244.27

94.158.244.27 -> Flagged as malicious IP by 5 engines in VT and also reported in hermetic-wiper news hopto.org -> IPQS has high confidence this domain is used for conducting abusive behaviour including scams. All users from this domain should be treated with caution. Hopto.org is currently ranked as the 11,370th most popular website online based on visits from recent web traffic. Additionally, two FQDNs for this SLD, namely upload-lk.hopto.org & upload-dt.hopto.org are already mentioned as known IoCs in Orange-Cyberdefense collection of IoCs for RU-UA war. linjkjlklod.sbs -> Domain generation algorithm seeuare.com -> Domain generation algorithm tortunas.ru -> Orange-Cyberdefense collection of IoCs for RU-UA war phymateus.online -> Orange-Cyberdefense collection of IoCs for RU-UA war

The Orange-Cyberdefense IoCs-CSV may be found at this GitHub repo: https://github.com/Orange-Cyberdefense/russia-ukraine_IOCs/blob/main/OCD-Datalake-russia-ukraine_IOCs-ALL.csv

Further analysis into the domain generation algorithm SLD linjkjlklod.sbs, found that it switched the resolving host to IP address: 172.104.33.43. Upon reversing this IP via VT & RiskIQ, limiting it to resolutions made in the last thirty days, we discovered ten additional SLDs and FQDNs:

host.kalilis.xyz ilikee.digital kalilis.xyz linjkjlklod.cyou mail6.kalilis.xyz mbox.kalilis.xyz mta.kalilis.xyz out.kalilis.xyz smtps.kalilis.xyz spcuk.xyz

Of these new domains, we see four new unique SLDs that are resolving to IP address 172.104.33.43, along with already known SLD linjkjlklod.sbs.

ilikee.digital -> Creation Date 2 months ago kalilis.xyz -> Creation Date 2 months ago linjkjlklod.cyou -> Domain generation algorithm & flagged by 1 VT engine spcuk.xyz -> Creation Date: 2022-02-28T00:31:23.00Z

What makes these domains worthy of blocking?

Both linjkjlklod.cyou and linjkjlklod.sbs were created via domain generation algorithm and their creation date is within the one-month timeframe for newly registered websites. Also, linjkjlklod.cyou is flagged as malicious on VT, as well as being linked to known malicious traffic via IP address 94.158.244.27 (the same one being used to communicate HermeticWiper).
While ilikee.digital, kalilis.xyz and spcuk.xyz are more “grey area” domains given that the only common factor they share is the relatively new creation date of approximately sixty days, they do resolve to IP address 172.104.33.43, which is known to host the linjkjlklod.cyou and linjkjlklod.sbs domains.

Also worth mentioning is that the malicious threat actor is likely using a domain generation algorithm to generate new domain names. From our experience, there could be some pattern of how names are generated but it’s usually hard to detect which algorithm is used.

Phishing trend for .ua Top-Level Domain (TLD)

After analyzing the data gathered by Jamf ThreatLabs, we can clearly see that there is a significant uptick in phishing resources that are using the .ua TLD.

Over the time period from September 2020 to March 2022, there is a surge in January 2022. This is also an indication that malicious actors are usually preparing their phishing infrastructure months before they make their campaign active.

With regards to the qualitative part of the research, it is also worth mentioning that most of the newly discovered phishing campaigns are trying to impersonate known social media platforms, such as Facebook or Twitter.

 facebook.com-c.kl.com.ua twitter.com-v.kl.com.ua

These phishing IoCs are all hosted on a known UA web-hosting service (kl.com.ua and zzz.com.ua) with a reputation known to serve websites linked to phishing campaigns.

As referenced on Website Planet for zzz web-hosting service, “You can register ten domains on the Pro plan and unlimited domains on the VIP plan with the extensions .zzz.com.ua, adr.com.ua, and kl.com.ua.”. Most of our detections include kl.com.ua, which indicates that threat actors have the resources necessary to ensure they succeed with their campaign.

Of course, phishing attempts are not stopping at social media. A common practice applied by the malicious actors is to also abuse other services, such as parcel and mail distribution vendors, such as attempting to impersonate the United States Postal Service (USPS) in order to further their phishing campaign efforts.

 https://usps.com.manage-trackingnumber.kpmf.com.ua/usps/

Jamf Threat Labs, along with the support of advanced machine learning MI:RIAM, already identifies and blocks all related threats proactively.

Contact Jamf or your preferred representative to find out how Jamf Threat Defense can protect your organization's mobile fleet from current and future threats.

Request Trial

Nikolaos Bloukos

Jamf

Previous Blog Post:
Prev
Jamf Protect receives several awards for excellence in endpoint protection Blog Homepage
Next Blog Post:
Next
Jamf Threat Labs identifies Safari vulnerability allowing for Gatekeeper bypass

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

Email Address (Work)

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.