Sandworm hackers

The Russian state-sponsored hacking group known as Sandworm has been observed masquerading as telecommunication providers to target Ukrainian entities with malware.

Sandworm is a state-backed threat actor attributed by the US government as part of the Russian GRU foreign military intelligence service.

The APT hacking group is believed to have been behind numerous attacks this year, including an attack on Ukrainian energy infrastructure and the deployment of a persistent botnet called "Cyclops Blink."

Starting from August 2022, researchers at Recorded Future have observed a rise in Sandworm command and control (C2) infrastructure that uses dynamic DNS domains masquerading as Ukrainian telecommunication service providers.

Recent campaigns aim to deploy commodity malware like Colibri Loader and the Warzone RAT (remote access trojan) onto critical Ukrainian systems.

New Sandworm infrastructure

While Sandworm has refreshed its C2 infrastructure significantly, it did so gradually, so historical data from CERT-UA reports allowed Recorded Future to link current operations with strong confidence to the threat actor.

One example is the domain "datagroup[.]ddns[.]net," spotted by CERT-UA in June 2022, masquerading as an online portal for Datagroup, a Ukrainian telecommunications carrier.

Another spoofed Ukrainian telecommunication services provider is Kyivstar, for which Sandworm uses the facades "kyiv-star[.]ddns[.]net" and "kievstar[.]online."

The more recent case is that of "ett[.]ddns[.]net" and "ett[.]hopto[.]org," very likely an attempt to imitate the online platform of EuroTransTelecom LLC, another Ukrainian telecom operator.

Many of these domains resolve to new IP addresses, but in some cases, there are overlaps with past Sandworm campaigns dating as far back as May 2022.

IP addresses of infrastructure used by Sandworm
IP addresses of infrastructure used by Sandworm since May 2022 (Recorded Future)

Infection chain

The attack begins by luring victims to visit the domains, typically via emails sent from these domains, to make it appear like the sender is a Ukrainian telecommunication provider.

The language used in these sites is Ukrainian, and the topics presented concern military operations, administration notices, reports, etc.

The most common web page seen by Recorded Future is one containing the text "ОДЕСЬКА ОБЛАСНА ВІЙСЬКОВА АДМІНІСТРАЦІЯ," which translates to "Odesa Regional Military Administration."

The HTML of the webpage contains a base64-encoded ISO file that is auto-downloaded when the website is visited using the HTML smuggling technique.​

Malicious HTML containing obfuscated ISO
Malicious HTML containing obfuscated ISO (Recorded Future)

Notably, HTML smuggling is used by several Russian state-sponsored hacking groups, with a recent example being APT29.

The payload contained in the image file is Warzone RAT, a malware created in 2018 and reached peak popularity in 2019. Sandworm uses it to replace the DarkCrystal RAT they deployed in previous months.

Possibly, the Russian hackers want to make tracking and attribution harder for security analysts by using widely available malware and hoping that their tracks are "lost in the noise."

The WarZone RAT malware may be old, but it still offers powerful features like a UAC bypass, hidden remote desktop, cookie and password stealing, live keylogger, file operations, reverse proxy, remote shell (CMD), and process management.

Related Articles:

FBI seizes Warzone RAT infrastructure, arrests malware vendor

Ukraine claims it hacked Russian Ministry of Defense servers

New Bifrost malware for Linux mimics VMware domain for evasion

US offers $10 million reward for tips on Russian Sandworm hackers

Hacker arrested for selling bank accounts of US, Canadian users