The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

MicroBackdoor

Mar 11, 2022 10:28:25 AM / by PolySwarm Tech Team

MicroBackdoor_Blog

Background

CERT-UA, the Ukraine government’s incident response team, recently released a report on MicroBackdoor. CERT-UA did not provide further information on the scope of the incident leading to the discovery of this malware.

What is MicroBackdoor?

MicroBackdoor is a backdoor malware originally written in C++ by Cr4sh (aka Dmytro Oleksiuk), a Russian security researcher. Cr4sh states on his Github page that MicroBackdoor is a C2 tool written for Windows targets, with easily customizable code and a small footprint.


CERT-UA discovered dovidka.zip, a file containing a contextual help file, which in turn contains two files: a bait image presenting information on the procedure for frequent artillery shelling and an HTA-file with malicious VBScript. Running the VBScript leads to an infection chain resulting in a MicroBackdoor malware infection.

MicroBackdoor samples discovered by CERT-UA were compiled on 1-28-2022 and 1-31-2022. It implements the following commands:

  • id
  • info
  • shell
  • ping
  • exit
  • upd
  • uninst
  • exec
  • flist
  • fget
  • fput
  • screenshot

PolySwarm’s samples of the code discovered by CERT-UA did not match the original code written by Cr4sh.  PolySwarm analysts assess with moderate confidence that it is very unlikely Cr4sh is involved in the activity discovered by CERT-UA. CERT-UA attributes the MicroBackdoor samples to the threat actor group known as UNC1151.

Who is UNC1151?

UNC1151 is a Belarusian threat actor tracked by Mandiant since 2017. They assessed the group to be affiliated with the Belarusian government. Mandiant researchers observed UNC1151 involvement in the Ghostwriter campaign. UNC1151 is likely based in Minsk and has historically carried out espionage and information operations targeting government and private sector entities primarily based in Ukraine, Lithuania, Latvia, Poland, and Germany. In January, the Ukrainian government attributed attacks on their government sites to UNC1151.


IOCs

PolySwarm has multiple samples associated with MicroBackdoor activity.


Hashes

B63a80660f94353112ba7071ea16ebbeb9de7cc14c278d1c4dee40bc231cb49c

92f69de0d45ad88654a6eef720a6f6b6db090afb67ba0eba5f9b77f504ea6280

7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56

C76fb28b6910bb0714fab5b84363ebf2082fd59ddb0bb95166635583554d7ab4

e97f1d6ec1aa3f7c7973d57074d1d623833f0e9b1c1e53f81af92c057a1fdd72

570ebd7f9951485b7415f685ae3349e62580309c9955b14dda4734a318edeca9 (First Seen)

998b2d7d12aafe1aa99c17224cf157704b67853a58a0a6a00de776f2a2907b4a (First Seen)

You can use the following CLI command to search for all MicroBackdoor samples in our portal:

$ polyswarm link list -f MicroBackdoor


Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports

Topics: Ukraine, Threat Bulletin, MicroBackdoor, UNC1151, Belarus, First Seen

PolySwarm Tech Team

Written by PolySwarm Tech Team

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts