Final week, Ukraine’s Most important Intelligence Directorate (GUR) orchestrated a classy cyberattack in opposition to Gaskar Integration, a number one Russian drone producer.
The operation started with reconnaissance of the corporate’s public-facing infrastructure, the place menace actors recognized susceptible distant desktop providers and outdated VPN gateways.
Leveraging a zero-day in a third-party net utility firewall, the attackers gained preliminary foothold inside the company community. As soon as inside, they deployed customized malware that exploited Home windows Administration Instrumentation (WMI) to execute lateral motion and harvest credentials.
Hromadske analysts famous that the malicious payload integrated a dual-stage loader written in C++ and PowerShell.
The primary stage established persistence by way of a malicious WMI subscription, whereas the second stage decrypted a reverse-shell implant in reminiscence.
Communications had been tunneled over TLS utilizing solid certificates that mimicked the corporate’s personal public key infrastructure.
The malware’s command-and-control (C2) infrastructure was hosted on compromised industrial management system servers, additional complicating attribution and takedown efforts.
By the point defenders detected anomalous community visitors, the attackers had exfiltrated greater than 47 TB of technical knowledge, together with drone design schematics, manufacturing logs, and worker information.
All backup copies on the sufferer’s servers had been irreversibly deleted, successfully crippling Gaskar’s manufacturing and accounting operations.
Staff had been locked out of manufacturing software program and bodily entry methods, with solely fireplace exits remaining useful.
Hromadske researchers recognized key modules of the implant by reverse-engineering its unpacker.
An infection Mechanism
The malware’s an infection mechanism hinged on the exploitation of a WAF bypass. After gaining entry, the attackers uploaded a tiny dropper—lower than 15 KB—that executed a Base64-encoded PowerShell one-liner.
This script reached out to a hard-coded C2 area, downloaded an encrypted payload, and invoked it totally in reminiscence to evade disk-based detection.
The persistent WMI occasion filter was crafted as follows:-
$filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter `
-Arguments @{
Identify = “SysUpdateFilter”
EventNameSpace = “rootcimv2”
QueryLanguage = “WQL”
Question = “SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA ‘Win32_LocalTime'”
}
Set-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding `
-Arguments @{
Filter = $filter
Client = $shopper
}
This ensures execution on each system clock tick, granting the implant excessive survivability even after reboot.
Increase detection, scale back alert fatigue, speed up response; all with an interactive sandbox constructed for safety groups -> Strive ANY.RUN Now
