Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations

Phishing Email

The subject of the email: arrears in wages (In Ukranian).
The email was sent from [email protected] to i[email protected].
The sender domain "mdfi.gov.ua" belongs to the Mykolayiv Regional Phytosanitary Laboratory.
The receiver is the Head of Department of Technical Supply in OKKO Group, one of the largest filling stations in Ukraine, this person is in charge of the gas stations chain.
Based on the headers of the email: the email was sent from 87.249.139.161 (hosting web server located in Turkey).

While reviewing the email's transport path, Analysts noticed that the domain "mdfi.gov.ua" did not have a configured SPF record to prevent email spoofing. An SPF record is used to restrict which IP addresses are allowed to send emails for a specific domain. If this record is not set, any IP address is technically allowed to send emails using that domain name. Some email providers do warn when they receive an email from an address that doesn't have an SPF record. The screenshot below shows the warning message displayed in GMail when reading such email.

Analyst's theory is that the threat actor exploited this vulnerability to send spoofed phishing emails to their targets. Analysts reported the issue to CERT-UA.

Analysts followed the sender IP address and found three other emails: two emails submitted on March 29 from Ukraine targeting ICTV, a Ukrainian TV channel and the third email was submitted in February from Romania. The emails that target UA have the same subject and use the same attached xls file that delivers the first malicious payload.

The Elephant Framework

The malware that is dropped by the phishing lure is the dropper component of what Analysts call the "Elephant Framework."
The framework consists of four components that work in unison. The code snippet below shows a reconstruction of the source code tree, bold indicating folders, showing how the different components have been organized.
The location of the implant's entrypoint is unknown and has been guessed to be in the root folder. As there are also server components to the framework, Analysts hypothesize that there are more folders for the two servers used by the framework.

Dropper Component

While called the dropper in the framework, this component does not have an embedded payload. Instead it is technically a downloader that fetches the next stage called the "downloader." The next stage is downloaded from the URL "hxxp://194.31.98.124:443/i" and saved to the user's home directory (%HOME%/.java-sdk/java-sdk.exe).
The next stage is executed with the command line flag "-a 0CyCcrhI/6B5wKE8XLOd+w==", base64 and AES encrypted information about the C2 server.

Downloader Component

The "downloader" acts as an orchestrator for the other components. In addition to downloading the "client" and the "implant" components, it also sets up persistence and can perform updates. Like all the other components, before any malicious activity is taken it performs some evasion techniques.
The difference between this component and the others is that this one is using code from the ColdFire project on GitHub. The screenshot below shows the malware using the "Wait" function to sleep for 10 seconds before allocating 200 mb of garbage data.

Persistence is established by adding a new key entry with the name "Java-3DK" to the registry key "SoftwareMicrosoftWindowsCurrentVersionRun".
After this, the malware checks if a new binary exists by comparing its MD5 hash with a hash from the server.
If no update is needed, it downloads the other two components.

The downloader has some 3rd party libraries, whose metadata are listed in the binary, that are not used. All the 3rd party libraries are listed in the code snippet below.
In the list for example "port-scanner", "gopacket", and "gateway" packages are not being used. These are all libraries to facilitate lateral movement.
It is not clear if these are left-overs from an older version of the malware or hints of future functionality.

Implant Component (GrimPlant)

GrimPlant is a backdoor that allows the operator to execute arbitrary PowerShell scripts on the infected machine.
The backdoor has a relatively small set of functionality, for example it doesn't have any persistence functionality on its own.
When the malware first is executed, it allocates 200 mb and sleeps for 10 seconds, the function shown in the screenshot below. This is an anti-emulation technique that has been found in other malware written in Go.

The Command and Control (C2) address is not included in the binary. Instead it is passed in to the malware via the command line flag "-addr".
The address is not provided as a plain string.
Instead it has been encrypted with AES in Cipher-Block Chaining (CBC) mode. The malware decrypts the string with the embedded key (f1d21960d8eb2fddf2538d29a5fd50b5f64a3f9bf06f2a3c4c950438c9a7f78e) and a null IV.
The port used by the C2 server is hardcoded to port 80.

GrimPlant communicates with the C2 server over gRPC. The communication is encrypted with TLS.
The malware has an embedded root certificate that it uses to verify that it talks to a trusted server. The code snippet shows parts of the root certificate information.
The certificate used by the C2 server has been signed by this root certificate which allows the threat actor to rotate the certificate without redeploying a new malware.

There are only a handful of gRPC "methods" supported by the malware.
A reconstructed protobuf specification is shown in the code snippet below.
To identify which instance of the malware is sending the request to the C2 server, the malware uses its machine ID as an unique identifier in the messages. When the malware first connects to the C2 server, it authenticates itself with the password "sdrunlygvhwbcaeiuklgunvre".

After a successful authentication, it sends a heartbeat message every 10 seconds. This message includes information about the infected machine: public IP address, hostname, username, etc.
In addition to the heartbeat message, the malware starts the "command" loop that checks for new commands to execute every 3 seconds.
If a command is received it executes it by spawning a PowerShell instance by executing "%windir%SysWOW64WindowsPowerShellv1.0powershell.exe" and returns the result to the C2 server.

Client Component (GraphSteel)

The "client" component is a credential and file stealer. It communicates with the C2 server over WebSockets to a GraphQL endpoint. All the messages are encrypted with AES. The key is received from the C2 server. The malware author has written their own RSA implementation for the key exchange that is used to receive the shared secret. All messages prior to the key exchange, including the key exchange itself, are encrypted with AES using a hardcoded key.

The credentials on the machine are stolen using code lifted from goLazagne. In addition to stealing credentials, the malware will look in the user's "Documents", "Downloads", "Pictures", and "Desktop" folder for files with the file-extensions listed below.

.key, .crt, .json, .csv, .7z, .rar, .zip, .ssh, .ovpn, .pptx, .xlsx, .docx, .ppt, .xls,
.doc, .txt
If it finds a file with a matching file extension, it generates the MD5 hash for the file and checks with the C2 server if the file has already been uploaded. If it hasn't, the file is uploaded to the C2 server.

Infrastructure

Using the embedded CA certificate in the malware, Analysts uncovered older service certificates and IP addresses.