Skip to main content

Voodoo Bear (APT44 - Part 3)

Alias: ELECTRUM, Telebots, IRON VIKING, BlackEnergy (Group), Quedagh, Voodoo Bear, IRIDIUM, Seashell Blizzard, FROZENBARENTS

The target countries, sectors and known attacks associated with Voodoo Bear were already discussed in more detail in Part 1.
In Part 2, the software used in the associated attacks was analysed in more detail. This includes the tactics, techniques and procedures (TTP) used and an explanation of the attack chains, as well as parts of the respective code.

AcidRain

The Yara Rule published by RustyNoob619 and ShaHolo searches for malicious files that can be associated with Acid Rain. In addition to the hash, it also searches for file paths, e.g. in the flash memory such as “/dev/mtdblockXX”, which are overwritten or deleted during the attack.

rule ELF_Wiper_AcidRain_March2024 {
    meta:
        Description = "Detects the Acid Rain Wiper Malware"
        Author = "RustyNoob619"
        Credits = "@ShanHolo for sharing the malware file hash and key characteristics"
        Reference = "https://twitter.com/ShanHolo/status/1770083206773002267"
        File_Hash = "6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728"

    strings:
        $dev1 = "/dev/sdXX" fullword ascii
        $dev2 = "/dev/null" fullword ascii
        $dev3 = "/dev/dm-XX" fullword ascii
        $dev4 = "/dev/block/mtdblockXX" fullword ascii
        $dev5 = "/dev/mtdblockXX" fullword ascii
        $dev6 = "/dev/mmcblkXX" fullword ascii
        $dev7 = "/dev/ubiXX" fullword ascii
        $dev8 = "/dev/loopXX" fullword ascii
        $dev9 = "/dev/block/mmcblkXX" fullword ascii
        $dev10 = "/dev/mtdXX" fullword ascii
        $usr1 = "/usr/sbin/reboot" fullword ascii
        $usr2 = "/usr/bin/reboot" fullword ascii
        $proc = "/proc/self/exe" fullword ascii

    condition:
        uint32be(0) == 0x7f454c46 //ELF Header
        and $proc
        and 1 of ($usr*)
        and 3 of ($dev*)
 }

Industroyer

Different Yara Rules are available for the Industroyer. These range directly from the Industroyer Wiper, the Port Scanner, the PayloadOPC, the Backdoor and the PayloadIEC104, which range from line 502 to 662.
Due to the size of the Yara rule, this is only a link.

NotPetya

The following Yara rule can help identify NotPetya. This rule checks hashes, strings, byte sequences and the size of files, among other things.

/*
   Yara Rule Set
   Author: Florian Roth
   Date: 2017-06-27
   Identifier: NotPetya
   Reference: https://goo.gl/h6iaGj
              https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759
*/

/* Rule Set ----------------------------------------------------------------- */

rule NotPetya_Ransomware_Jun17 {
   meta:
      description = "Detects new NotPetya Ransomware variant from June 2017"
      license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://goo.gl/h6iaGj"
      date = "2017-06-27"
      hash1 = "027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745"
      hash2 = "45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0"
      hash3 = "64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1"
      id = "8805f971-0680-534d-9955-65dc4ecc934a"
   strings:
      $x1 = "Ooops, your important files are encrypted." fullword wide ascii
      $x2 = "process call create \"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\%s\\\" #1 " fullword wide
      $x3 = "-d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\%s\",#1 " fullword wide
      $x4 = "Send your Bitcoin wallet ID and personal installation key to e-mail " fullword wide
      $x5 = "fsutil usn deletejournal /D %c:" fullword wide
      $x6 = "wevtutil cl Setup & wevtutil cl System" ascii
      /* ,#1 ..... rundll32.exe */
      $x7 = { 2C 00 23 00 31 00 20 00 00 00 00 00 00 00 00 00 72 00 75 00 6E
         00 64 00 6C 00 6C 00 33 00 32 00 2E 00 65 00 78 00 65 00 }

      $s1 = "%s /node:\"%ws\" /user:\"%ws\" /password:\"%ws\" " fullword wide
      $s4 = "\\\\.\\pipe\\%ws" fullword wide
      $s5 = "schtasks %ws/Create /SC once /TN \"\" /TR \"%ws\" /ST %02d:%02d" fullword wide
      $s6 = "u%s \\\\%s -accepteula -s " fullword wide
      $s7 = "dllhost.dat" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 1000KB and ( 1 of ($x*) or 3 of them )

Similar hacker groups

In addition to Voodoo Bear, there are seven other Russian state-sponsored hacker groups.

Fancy Bear (APT28)

Alias: Fancy Bear, APT28, IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE

APT28 is also a constant threat alongside APT29, but unlike APT29 it is not subordinate to the Russian Foreign Intelligence Service (SVR), but to Russian military intelligence (GRU) or the Ministry of Defense. In addition to Ukraine and NATO, the group is also interested in Europe, South America, the Middle East and Central Asia.

There is also interest in various sectors such as government, military and defense, energy, finance, heavy industry, high-tech and telecommunications, higher education, news media, NGOs, and shipping and rail transport. Fancy Bear uses TTPs such as xTunnel, Mimikatz or Evil-Twin.

Cozy Bear (APT29)

Cozy Bear, primarily known as APT29, is believed to be under the control of the SVR.
There is also interest in various sectors such as biotechnology, consulting, education, financial services, government, healthcare, legal services, nonprofits, pharmaceuticals, technology, telecommunication, think tanks, travel, science/R&D

Voodoo Bear uses TTPs such as spearphishing attachments, Azure and M365 environment via Microsoft Graph API, password guessing and password spraying, exploit public-facing applications, FoggyWeb, GoldFinder, NativeZone and WellMess, RegDuke, PolyglotDuke, MiniDuke and FatDuke, SUNBURST, SUNSPOT and TEARDROP

Primitive Bear

Primitive Bear (aka Aqua Blizzard or Gamaredon) is also a Russian state-sponsored hacking group that has been linked to the Russian Federal Security Service (FSB). Just like Voodoo Bear, the main target is Ukraine, including government agencies, the military, non-governmental organizations, the judiciary, law enforcement agencies and non-profit organizations, as well as institutions related to Ukrainian affairs. This group also relied on espionage and exfiltration of sensitive data.

Primitive Bear uses TTPs such as spear phishing emails, VBScripts, Ping, PowerPunch, Pterodo, QuietSieve, DinoTrain, DesertDown, DilongTrash, ObfuBerry and ObfuMerry.

Venomous Bear

Venomous Bear is primarily known as Turla and, like Primitive Bear, is subordinate to the Russian Federal Security Service (FSB). According to Google, the group is primarily interested in Ukraine, NATO, Australia, South America, the Middle East and South-East Asia.

There is also interest in various sectors such as government, military and defense, higher education, news media and NGOs

Venomous Bear uses TTPs such as KOPILUWAK, QUIETCANARY, ANDROMEDA, Brute Force, Lateral Tool Transfer, Command and Scripting Interpreter: Python or Password Policy Discovery

Energetic Bear

Alias: TEMP.Isotope, DYMALLOY, Berserk Bear, TG-4192, Crouching Yeti, IRON LIBERTY, Energetic Bear, Ghost Blizzard, BROMINE, Dragonfly. Energetic is another Russian state-sponsored hacker group which, like Venomous and Primitive Bear, also belongs to the Federal Security Service of the Russian Federation (FSB). This group is active worldwide.

As the name suggests, the sector most likely to be affected is the energy sector. However, the sectors Chemicals, Communications Infrastructure, Consumer Retail: Hardline (Consumer Durables), Defense Industrial Base, Digital, Print and Broadcast Media, Education: Higher Education, Financial, Services, Healthcare & Public Health, Transportation Systems: Aviation are also affected.
Energetic Bear uses tools such as Trojan.Karagany, Backdoor.Oldrea and CrackMapExec, and the techniques used include account manipulation, password cracking and supply chain compromise.

Ember Bear

Alias: Saint Bear, Lorec Bear, Bleeding Bear, DEV-0586, UNC2589, UAC-0056, Lorec53, Ember Bear

Just like Fancy Bear and Voodoo Bear, Ember Bear is probably part of the General Staff of the Armed Forces of the Russian Federation (GRU). In addition to Ukraine and Georgia, Western Europe and North America are also targets of the attacks.
The three sectors are mainly target ministries, pharmaceutical companies, and financial sector

According to MITRE, the tools that could be tracked are ATT&CK WhisperGate, Saint Bot, OutSteel, as well as techniques such as Software Packing, User Execution: Malicious File, Exploitation for Client Execution

Boulder Bear

Alias: -

Another hacker group that can be linked to the Russian state is Boulder Bear. There is virtually no information on this, except that it is possibly subordinate to the Federal Security Service of the Russian Federation (FSB). Countries or sectors at risk, as well as TTPs, are unfortunately not known.

For further research

https://www.youtube.com/watch?v=QSVQR_7fAFQ
https://cloud.google.com/blog/topics/threat-intelligence/sandworm-disrupts-power-ukraine-operational-technology/?hl=en
https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf
https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?hl=en
https://attack.mitre.org/groups/G0034/
https://security.microsoft.com/intel-profiles/cf1e406a16835d56cf614430aea3962d7ed99f01ee3d9ee3048078288e5201bb?tab=description&tid=50271394-6aac-43fb-bd75-a0b7f111fbea
https://safereach.com/en/blog/apt44-sandworm-threat-companies/

Attacks

https://www.wired.com/story/cyber-army-of-russia-reborn-sandworm-us-cyberattacks/
https://media.defense.gov/2020/May/28/2002306626/-1/-1/0/CSA Sandworm Actors Exploiting Vulnerability in Exim Transfer Agent 20200528.pdf
https://www.justice.gov/opa/press-release/file/1328521/download
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and

Viasat

https://open.spotify.com/episode/3ad56QrgnXLuyeHfwphzC3?si=UYK32FJHSEaVvvU8n4VMPw
https://news.viasat.com/blog/corporate/ka-sat-network-cyber-attack-overview
https://www.linkedin.com/in/zhora/?originalSubdomain=ua
https://therecord.media/second-cyber-official-detained-zhora
https://www.bbc.com/pidgin/world-60598588
https://www.groundcontrol.com/blog/how-satellite-iot-closes-the-gap-in-remote-wind-turbine-data-monitoring-challenges/

NotPetya

https://blog.talosintelligence.com/worldwide-ransomware-variant/

Ukraine Electric 2016

www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf
https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01

CaddyWiper (2022)

https://www.cisa.gov/news-events/analysis-reports/ar22-115c
https://www.dragos.com/blog/new-details-electrum-ukraine-electric-sector-compromise-2022/
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://www.virustotal.com/gui/file/a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430ea
https://attack.mitre.org/software/S0693/

TTPs

Neo4J

AcidRain (Viasat)

https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/
https://www.sentinelone.com/labs/acidpour-new-embedded-wiper-variant-of-acidrain-appears-in-ukraine/
https://attack.mitre.org/software/S1125/
https://www.cyberproof.com/blog/recent-developments-in-russian-ukrainian-cyber-warfare

Industroyer

https://www.incibe.es/en/incibe-cert/blog/industroyer2-ampere-strikes-back
https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
https://cloud.google.com/blog/topics/threat-intelligence/industroyer-v2-old-malware-new-tricks?hl=en
https://attack.mitre.org/software/S0604/
https://www.cisa.gov/news-events/ics-alerts/ics-alert-17-206-01
https://web-assets.esetstatic.com/wls/2017/06/Win32_Industroyer.pdf
https://www.dragos.com/wp-content/uploads/CrashOverride-01.pdf
https://attack.mitre.org/software/S0604/
https://attack.mitre.org/software/S1072/

NotPetya

https://attack.mitre.org/software/S0368/
https://www.secureworks.com/blog/notpetya-campaign-what-we-know-about-the-latest-global-ransomware-attack
https://www.cloudflare.com/learning/security/ransomware/petya-notpetya-ransomware/
https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware
https://analyze.intezer.com/files/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
https://www.virustotal.com/gui/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/relations
https://www.microsoft.com/en-us/security/blog/2017/10/03/advanced-threat-analytics-security-research-network-technical-analysis-notpetya/

Hunting

Acid Rain

https://github.com/RustyNoob-619/100-Days-of-YARA-2024/blob/main/Day80.yar
https://www.virustotal.com/gui/file/6a8824048417abe156a16455b8e29170f8347312894fde2aabe644c4995d7728/detection

Industroyer

https://github.com/intezer/yara-rules/blob/master/RussianAPT.yar

NotPetya

https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759

Back to all blogs

Featured blogs