Since the time that Russia invaded Ukraine, there's been a sharp rise in malicious attacks with a variety of different types of cyberattacks being distributed via differing methods. Namely, the HermeticWiper malicious campaign, which is a Denial of Service (DoS) type of attack. A sophisticated malware family that is designed to destroy data and render affected systems inoperable.
Follow-up variants include the IsaacWiper, HermeticWizard and HermeticRansom. These variants have been modified from their original source code to add worm-like functionality, allowing them to propagate by searching through local networks to detect additional hosts to infect.
Additional attacks, such as the Asylum Ambuscade malicious campaign, are being seen as likely being a nation-state sponsored phishing campaign using a possibly compromised Ukrainian armed service member’s email account to target European government personnel involved in managing the logistics of refugees fleeing Ukraine, as reported by Proofpoint.
Jamf Threat Labs Investigation
Expansion of HermeticWiper C2 network infrastructure
In addition to the threats mentioned previously, fragments of infrastructure details appear to indicate that the attacks being seen are a continuation of, or expansion to, the current campaign. The C2 server's IP address was initially reported as: 126.96.36.199, though after reversing it, Jamf Threat Labs identified the following Second-Level Domains (SLD) and Fully-Qualified Domain Names (FQDN):
After further investigation into those twenty-one SLDs and FQDNs, several of those resolved to the following IP address: 188.8.131.52
The Orange-Cyberdefense IoCs-CSV may be found at this GitHub repo: https://github.com/Orange-Cyberdefense/russia-ukraine_IOCs/blob/main/OCD-Datalake-russia-ukraine_IOCs-ALL.csv
Further analysis into the domain generation algorithm SLD linjkjlklod.sbs, found that it switched the resolving host to IP address: 184.108.40.206. Upon reversing this IP via VT & RiskIQ, limiting it to resolutions made in the last thirty days, we discovered ten additional SLDs and FQDNs:
Of these new domains, we see four new unique SLDs that are resolving to IP address 220.127.116.11, along with already known SLD linjkjlklod.sbs.
What makes these domains worthy of blocking?
- Both linjkjlklod.cyou and linjkjlklod.sbs were created via domain generation algorithm and their creation date is within the one-month timeframe for newly registered websites. Also, linjkjlklod.cyou is flagged as malicious on VT, as well as being linked to known malicious traffic via IP address 18.104.22.168 (the same one being used to communicate HermeticWiper).
- While ilikee.digital, kalilis.xyz and spcuk.xyz are more “grey area” domains given that the only common factor they share is the relatively new creation date of approximately sixty days, they do resolve to IP address 22.214.171.124, which is known to host the linjkjlklod.cyou and linjkjlklod.sbs domains.
Also worth mentioning is that the malicious threat actor is likely using a domain generation algorithm to generate new domain names. From our experience, there could be some pattern of how names are generated but it’s usually hard to detect which algorithm is used.
Phishing trend for .ua Top-Level Domain (TLD)
After analyzing the data gathered by Jamf ThreatLabs, we can clearly see that there is a significant uptick in phishing resources that are using the .ua TLD.
Over the time period from September 2020 to March 2022, there is a surge in January 2022. This is also an indication that malicious actors are usually preparing their phishing infrastructure months before they make their campaign active.
With regards to the qualitative part of the research, it is also worth mentioning that most of the newly discovered phishing campaigns are trying to impersonate known social media platforms, such as Facebook or Twitter.
These phishing IoCs are all hosted on a known UA web-hosting service (kl.com.ua and zzz.com.ua) with a reputation known to serve websites linked to phishing campaigns.
As referenced on Website Planet for zzz web-hosting service, “You can register ten domains on the Pro plan and unlimited domains on the VIP plan with the extensions .zzz.com.ua, adr.com.ua, and kl.com.ua.”. Most of our detections include kl.com.ua, which indicates that threat actors have the resources necessary to ensure they succeed with their campaign.
Of course, phishing attempts are not stopping at social media. A common practice applied by the malicious actors is to also abuse other services, such as parcel and mail distribution vendors, such as attempting to impersonate the United States Postal Service (USPS) in order to further their phishing campaign efforts.
Jamf Threat Labs, along with the support of advanced machine learning MI:RIAM, already identifies and blocks all related threats proactively.
Contact Jamf or your preferred representative to find out how Jamf Threat Defense can protect your organization's mobile fleet from current and future threats.