On December 19, the Computer Emergency Response Team of Ukraine(CERT-UA) issued a security alert (CERT-UA#5709) warning about phishing cyberattacks on Ukrainian defence software, Delta.
The report states that a compromised Ukrainian Ministry of Defense (MoD) email account was sending out phishing emails as well as messages to Ukrainian military personnel and the OSINT (Open Source Intelligence) department, who operates ‘Delta’ software, to infect systems with information-stealing malicious software using FateGrab and StealDeal malware.
According to CERT-UA, the malware is being distributed through emails sent from one of the MoD’s employee email accounts and messenger. The malicious email contains a warning that the digital certificate for the Delta software must be updated along with a link to an infected ZIP archive.
Delta is an online network map that info-warriors (military troops, civilian officials and even spectators) use to track and share adversary details about strikes and drone attacks. Although images of the Russian invasion take us back to the days of the first and second world wars, this battle is more of a proving ground for future battlegrounds likely to be information warfare – where information is disseminated in real-time to individual soldiers indicating enemy forces’ movements that would help in faster and more accurate strikes, as reported by The Guardian.
In an attempt to hack the software that gives Ukraine a battlefield edge, threat actors sent a message over mail about the need to update digital certificates in the Delta system to continue using the system securely. The infected email contained a PDF document as an attachment allegedly with instructions to install the certificate but includes a link to download a ZIP archive named “certificates_rootCA.zip.”
The PDF file mimicked sanctioned abstracts of the ISTAR(Intelligence, surveillance, target acquisition and reconnaissance) division of the “Zaporizhia” OUV(Outstanding Universal Value).
By following the link, the archive downloads a digitally signed “certificates_rootCA.exe” onto your system. Upon launching the EXE(executable file) link, several DLL(Dynamic-link library) files are created on the compromised system and an “ais.exe” file forging the certificate installation process will be initiated on the computer.
It then prompts a certificate installation dialogue in a ‘Security Warning’. This step adds to convincing the target that the process was legitimate and reduces the probability of them suspecting that the state software has been breached.
Both the EXE and the DLL files were protected by VMProtect, which is software that offers protection against executable files (EXE, SCR), dynamic-link libraries (DLL, OCX, BPL) and drivers (SYS) by encrypting them on a virtual machine with standalone architecture that makes it extremely difficult to analyze and crack the software.
Following this, two infected DLLs will be dropped onto the target’s PC,i.e, “FileInfo.dll” and “procsys.dll,” which are ‘FateGrab’ and ‘StealDeal’ respectively.
FateGrab(“FileInfo.dll”; “ftp_file_graber.dll”) is used in stealing files with extensions: ‘.txt’, ‘.rtf’, ‘. xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘. doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, and ‘.email’ with their subsequent exfiltration through FTP. While StealDeal(“procsys.dll”; “StealDll.dll”) is designed to steal Internet browser data.
Digital certificates use cryptography and a public key to prove the authenticity of a server, device, or user, ensuring that only trusted devices can connect to an organization’s network.
DOLPHINCAPE MALWARE- CYBERATTACKS ON UKRAINE’S STATE AGENCIES
Cyberattacks on Ukraine’s digital assets are not rare as noted throughout 2022. On December 13th, the CERT-UA warned(https://cert.gov.ua/article/3192088 ) the government agencies and railway departments in Ukraine of phishing attacks with DolphinCape, again an information-stealing malware.
The attack was conducted in a nearly similar pattern. It involved sending phishing emails with malicious attachments sent from Ukraine’s State Emergency Service email account. The infected emails carried the topic “How to recognize a kamikaze drone,” which is an Iranian-supplied Shahed-136 drone that Russia is presently using to attack the energy infrastructure in Ukraine.
Opening the file triggers an infection chain containing a RAR archive “shahid-136.rar”, further downloading a PowerShell Script document “shahed.ppsx” which in turn contains VBScript code designed to launch a scheduled task. The script then downloads executable (EXE) files of DolphinCape malware (“WibuCm32.dll”), which collects information about the infected computer including hostname, username, etc. as well as takes screenshots of the compromised PC.
ROLE OF DELTA IN BATTLEFIELD
“Delta is a system for collecting, processing and displaying information about enemy forces, coordinating defence forces, and providing situational awareness according to NATO standards” as reported in NATO’s TIDE Sprint(https://mezha.media/en/2022/10/28/the-unique-ukrainian-situational-awareness-system-delta-was-presented-at-the-annual-nato-event/ ) event on October 27th.
The British daily news outlet, The Guardian, reported exclusively on Ukraine’s Delta programme as mentioned in NATO’s report of 30th November notifying that the software is yet to be formally adopted by the Ukrainian armed forces.
Delta is a software developed by Ukrainian programmers and drone operators called Aerorozvidka (aerial reconnaissance) to give their armed forces the competitive advantage of being able to view the battlefield more clearly and indicate enemy movements. The software was first presented to NATO member states in October and was developed in 2015.
The program is fed with publicly accessible information by the OSINT (Open-source Intelligence) department, which is closely monitoring online activities of Russian recruits and aircraft, extracting date, time and location information and inputting the results into Delta. Other sources of information include satellite imagery and drone footage provided by NATO partners like the United States.
Delta is more than just an “early alert system”. It contains multiple layers of information embedded on the network map which is accessible in a live environment through Starlink satellite communications. The military intelligence software is adept at combining interactive maps and pictures of enemy acquisitions to calculate the headcount of enemy soldiers and gather intelligence on the type of weapons that opponents carry – to predict where and how Ukrainian troops can attack.