Posted on January 18, 2022 at 4:17 PM

Microsoft Threat Intelligence Center discovers malware targeting Ukrainian organisations

Ukraine has been facing one of its worst cyberattacks. Last week, around 70 government websites were taken down by unknown threat actors. This hack comes as the country faces a series of geopolitical issues.

The Microsoft Threat Intelligence Center (MSTIC) has published a blog post pointing to a malware operation targeting organisations in Ukraine. The blog post notes that the malware was first detected in the country on January 13, 2022.

Microsoft detects malware targeting Ukraine

Earlier on, the digital transformation minister for Ukraine had noted that all evidence on the cyberattacks points to Russia. However, the Microsoft research noted that there was no association between the malware activity and any of the known threat actor groups.

The report further notes that the malware had been designed to appear like ransomware, but the attackers did not demand any ransom. As such, its primary intention was to paralyse the operations of the attacked organisations.

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems, and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organisations, all based in Ukraine,” the blog post read.

Microsoft notes that the first sign of the activity was detected on January 13. The report notes that the threat actor activity seemed to be originating from Ukraine, with the attacks being possible “Master Boot Records (MBR) Wiper activity.”

Further research showed that the malware could attack multiple organisations in Ukraine. Additionally, a look into the intrusions already conducted showed that the malware operated using Impacket. This is a public capability used by threat actors to execute.

The malware operated by overwriting the MBR on the victim systems using a ransom note. The ransom note contains a Bitcoin wallet address and a Tox ID used in the Tox encrypted messaging protocol. MSTIC noted that this behaviour had not been detected before.

MSTIC also notes that the malware is only executed when the victim system has been shut down. While the attackers attach a ransomware note, the activities that have been exhibited shows that a ransomware attack is not the main intention.

“Microsoft will continue to monitor DEX-0586 activity and implement protections for our customers,” MSTIC added.

The report further noted that the malware attack was made in two stages, with the second stage being file corruption. The attacks executed a malicious file corrupter malware that will download the next stage of the malware hosted on a Discord channel.

Once this second stage malware has been executed, the file corrupter will locate the files listed in various directories in the system. MSTIC also provided a list of extensions that if were carried out by a file, the corrupter would overwrite the contents in the file. After the contents have been overwritten, the attacker will rename the file using a four-byte extension.

Microsoft noted that research into this malware was still ongoing. Therefore, further analysis and results would be given regarding the malware’s operations.

Microsoft gives tips for protection

The effects of this malware are major, given that it is attacking government organisations. Hence, Microsoft has offered several strategies that organisations can use to ensure they do not fall victim.

Microsoft noted that its systems already had measures to detect this malware and enable organisations to be protected against it. Some of the protections that have already been provided by the organisation include WhisperGate that uses the Microsoft Defender Antivirus and Microsoft Defender for Endpoint. The report noted that these protections are effective when deployed on cloud and on-premises.

“We are continuing the investigation and will share significant updates with affected customers, as well as public and private sector partners, and get more information.”

Additionally, Microsoft gave additional security considerations that organisations need to consider. One of these includes using the indicators of compromise to launch investigations into whether the malware exists within the organisation’s systems and to assess the potential of an attack.

Microsoft has also urged organisations to set up multifactor authentication to mitigate an attack if account credentials are compromised. Organisations also need to ensure that multifactor authentication is enabled for remote connectivity. Using features such as Microsoft Authenticator will ensure that accounts are secured in a password-less manner.

“Review all authentication activity for remote access infrastructure, with a particular focus on accounts configured with single-factor authentication, to conform authenticity and investigate any anomalous activity,” the report concluded.