Background
CERT-UA, the Ukraine government’s incident response team, recently released a report on MicroBackdoor. CERT-UA did not provide further information on the scope of the incident leading to the discovery of this malware.
What is MicroBackdoor?
MicroBackdoor is a backdoor malware originally written in C++ by Cr4sh (aka Dmytro Oleksiuk), a Russian security researcher. Cr4sh states on his Github page that MicroBackdoor is a C2 tool written for Windows targets, with easily customizable code and a small footprint.
CERT-UA discovered dovidka.zip, a file containing a contextual help file, which in turn contains two files: a bait image presenting information on the procedure for frequent artillery shelling and an HTA-file with malicious VBScript. Running the VBScript leads to an infection chain resulting in a MicroBackdoor malware infection.
MicroBackdoor samples discovered by CERT-UA were compiled on 1-28-2022 and 1-31-2022. It implements the following commands:
- id
- info
- shell
- ping
- exit
- upd
- uninst
- exec
- flist
- fget
- fput
- screenshot
PolySwarm’s samples of the code discovered by CERT-UA did not match the original code written by Cr4sh. PolySwarm analysts assess with moderate confidence that it is very unlikely Cr4sh is involved in the activity discovered by CERT-UA. CERT-UA attributes the MicroBackdoor samples to the threat actor group known as UNC1151.
Who is UNC1151?
UNC1151 is a Belarusian threat actor tracked by Mandiant since 2017. They assessed the group to be affiliated with the Belarusian government. Mandiant researchers observed UNC1151 involvement in the Ghostwriter campaign. UNC1151 is likely based in Minsk and has historically carried out espionage and information operations targeting government and private sector entities primarily based in Ukraine, Lithuania, Latvia, Poland, and Germany. In January, the Ukrainian government attributed attacks on their government sites to UNC1151.
IOCs
PolySwarm has multiple samples associated with MicroBackdoor activity.
Hashes
B63a80660f94353112ba7071ea16ebbeb9de7cc14c278d1c4dee40bc231cb49c
92f69de0d45ad88654a6eef720a6f6b6db090afb67ba0eba5f9b77f504ea6280
7f0511b09b1ab3a64c8827dd8af017acbf7d2688db31a5d98fea8a5029a89d56
C76fb28b6910bb0714fab5b84363ebf2082fd59ddb0bb95166635583554d7ab4
e97f1d6ec1aa3f7c7973d57074d1d623833f0e9b1c1e53f81af92c057a1fdd72
570ebd7f9951485b7415f685ae3349e62580309c9955b14dda4734a318edeca9 (First Seen)
998b2d7d12aafe1aa99c17224cf157704b67853a58a0a6a00de776f2a2907b4a (First Seen)
You can use the following CLI command to search for all MicroBackdoor samples in our portal:
$ polyswarm link list -f MicroBackdoor
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports