CERT-UA, the Ukraine government’s incident response team, recently released a report on MicroBackdoor. CERT-UA did not provide further information on the scope of the incident leading to the discovery of this malware.
What is MicroBackdoor?
MicroBackdoor is a backdoor malware originally written in C++ by Cr4sh (aka Dmytro Oleksiuk), a Russian security researcher. Cr4sh states on his Github page that MicroBackdoor is a C2 tool written for Windows targets, with easily customizable code and a small footprint.
CERT-UA discovered dovidka.zip, a file containing a contextual help file, which in turn contains two files: a bait image presenting information on the procedure for frequent artillery shelling and an HTA-file with malicious VBScript. Running the VBScript leads to an infection chain resulting in a MicroBackdoor malware infection.
MicroBackdoor samples discovered by CERT-UA were compiled on 1-28-2022 and 1-31-2022. It implements the following commands:
PolySwarm’s samples of the code discovered by CERT-UA did not match the original code written by Cr4sh. PolySwarm analysts assess with moderate confidence that it is very unlikely Cr4sh is involved in the activity discovered by CERT-UA. CERT-UA attributes the MicroBackdoor samples to the threat actor group known as UNC1151.
Who is UNC1151?
UNC1151 is a Belarusian threat actor tracked by Mandiant since 2017. They assessed the group to be affiliated with the Belarusian government. Mandiant researchers observed UNC1151 involvement in the Ghostwriter campaign. UNC1151 is likely based in Minsk and has historically carried out espionage and information operations targeting government and private sector entities primarily based in Ukraine, Lithuania, Latvia, Poland, and Germany. In January, the Ukrainian government attributed attacks on their government sites to UNC1151.
PolySwarm has multiple samples associated with MicroBackdoor activity.
570ebd7f9951485b7415f685ae3349e62580309c9955b14dda4734a318edeca9 (First Seen)
998b2d7d12aafe1aa99c17224cf157704b67853a58a0a6a00de776f2a2907b4a (First Seen)
You can use the following CLI command to search for all MicroBackdoor samples in our portal:
$ polyswarm link list -f MicroBackdoor