Elephant Framework Delivered in Phishing Attacks Against Ukrainian Organizations

Phishing Email
The subject of the email: arrears in wages (In Ukranian).
The email was sent from [email protected] to [email protected]
The sender domain “mdfi.gov.ua” belongs to the Mykolayiv Regional Phytosanitary Laboratory.
The receiver is the Head of Department of Technical Supply in OKKO Group, one of the largest filling stations in Ukraine, this person is in charge of the gas stations chain.
Based on the headers of the email: the email was sent from 87.249.139.161 (hosting web server located in Turkey).

While reviewing the email’s transport path, Analysts noticed that the domain “mdfi.gov.ua” did not have a configured SPF record to prevent email spoofing. An SPF record is used to restrict which IP addresses are allowed to send emails for a specific domain. If this record is not set, any IP address is technically allowed to send emails using that domain name. Some email providers do warn when they receive an email from an address that doesn’t have an SPF record. The screenshot below shows the warning message displayed in GMail when reading such email.

Analyst’s theory is that the threat actor exploited this vulnerability to send spoofed phishing emails to their targets. Analysts reported the issue to CERT-UA.

Analysts followed the sender IP address and found three other emails: two emails submitted on March 29 from Ukraine targeting ICTV, a Ukrainian TV channel and the third email was submitted in February from Romania. The emails that target UA have the same subject and use the same attached xls file that delivers the first malicious payload.

The Elephant Framework
The malware that is dropped by the phishing lure is the dropper component of what Analysts call the “Elephant Framework.”
The framework consists of four components that work in unison. The code snippet below shows a reconstruction of the source code tree, bold indicating folders, showing how the different components have been organized.
The location of the implant’s entrypoint is unknown and has been guessed to be in the root folder. As there are also server components to the framework, Analysts hypothesize that there are more folders for the two servers used by the framework.

Dropper Component
While called the dropper in the framework, this component does not have an embedded payload. Instead it is technically a downloader that fetches the next stage called the “downloader.” The next stage is downloaded from the URL “hxxp://194.31.98.124:443/i” and saved to the user’s home directory (%HOME%/.java-sdk/java-sdk.exe).
The next stage is executed with the command line flag “-a 0CyCcrhI/6B5wKE8XLOd+w==”, base64 and AES encrypted information about the C2 server.

Downloader Component
The “downloader” acts as an orchestrator for the other components. In addition to downloading the “client” and the “implant” components, it also sets up persistence and can perform updates. Like all the other components, before any malicious activity is taken it performs some evasion techniques.
The difference between this component and the others is that this one is using code from the ColdFire project on GitHub. The screenshot below shows the malware using the “Wait” function to sleep for 10 seconds before allocating 200 mb of garbage data.

Persistence is established by adding a new key entry with the name “Java-3DK” to the registry key “SoftwareMicrosoftWindowsCurrentVersionRun”.
After this, the malware checks if a new binary exists by comparing its MD5 hash with a hash from the server.
If no update is needed, it downloads the other two components.

The downloader has some 3rd party libraries, whose metadata are listed in the binary, that are not used. All the 3rd party libraries are listed in the code snippet below.
In the list for example “port-scanner”, “gopacket”, and “gateway” packages are not being used. These are all libraries to facilitate lateral movement.
It is not clear if these are left-overs from an older version of the malware or hints of future functionality.

Implant Component (GrimPlant)
GrimPlant is a backdoor that allows the operator to execute arbitrary PowerShell scripts on the infected machine.
The backdoor has a relatively small set of functionality, for example it doesn’t have any persistence functionality on its own.
When the malware first is executed, it allocates 200 mb and sleeps for 10 seconds, the function shown in the screenshot below. This is an anti-emulation technique that has been found in other malware written in Go.

The Command and Control (C2) address is not included in the binary. Instead it is passed in to the malware via the command line flag “-addr”.
The address is not provided as a plain string.
Instead it has been encrypted with AES in Cipher-Block Chaining (CBC) mode. The malware decrypts the string with the embedded key (f1d21960d8eb2fddf2538d29a5fd50b5f64a3f9bf06f2a3c4c950438c9a7f78e) and a null IV.
The port used by the C2 server is hardcoded to port 80.

GrimPlant communicates with the C2 server over gRPC. The communication is encrypted with TLS.
The malware has an embedded root certificate that it uses to verify that it talks to a trusted server. The code snippet shows parts of the root certificate information.
The certificate used by the C2 server has been signed by this root certificate which allows the threat actor to rotate the certificate without redeploying a new malware.

There are only a handful of gRPC “methods” supported by the malware.
A reconstructed protobuf specification is shown in the code snippet below.
To identify which instance of the malware is sending the request to the C2 server, the malware uses its machine ID as an unique identifier in the messages. When the malware first connects to the C2 server, it authenticates itself with the password “sdrunlygvhwbcaeiuklgunvre”.

After a successful authentication, it sends a heartbeat message every 10 seconds. This message includes information about the infected machine: public IP address, hostname, username, etc.
In addition to the heartbeat message, the malware starts the “command” loop that checks for new commands to execute every 3 seconds.
If a command is received it executes it by spawning a PowerShell instance by executing “%windir%SysWOW64WindowsPowerShellv1.0powershell.exe” and returns the result to the C2 server.

Client Component (GraphSteel)
The “client” component is a credential and file stealer. It communicates with the C2 server over WebSockets to a GraphQL endpoint. All the messages are encrypted with AES. The key is received from the C2 server. The malware author has written their own RSA implementation for the key exchange that is used to receive the shared secret. All messages prior to the key exchange, including the key exchange itself, are encrypted with AES using a hardcoded key.

The credentials on the machine are stolen using code lifted from goLazagne. In addition to stealing credentials, the malware will look in the user’s “Documents”, “Downloads”, “Pictures”, and “Desktop” folder for files with the file-extensions listed below.

.key, .crt, .json, .csv, .7z, .rar, .zip, .ssh, .ovpn, .pptx, .xlsx, .docx, .ppt, .xls,
.doc, .txt
If it finds a file with a matching file extension, it generates the MD5 hash for the file and checks with the C2 server if the file has already been uploaded. If it hasn’t, the file is uploaded to the C2 server.

Infrastructure
Using the embedded CA certificate in the malware, Analysts uncovered older service certificates and IP addresses.

Sign Up For Threat Alerts

Loading...
Threats Icon

Feb 06, 2023

Vector Stealer Targets RDP Files For Exfiltration

Vector Stealer is an information stealer sold on underground forums since 2022. The malicious software...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

This is a new threat actor,Analysts are tracking it as Ice Breaker APT. Although research...

Threats Icon

Feb 05, 2023

Operation Ice Breaker

ttt

Threats Icon

Feb 05, 2023

Trigona Ransomware Analysis

Trigona ransomware appeared on the threat landscape in late 2022 and threatens to release stolen...

Threats Icon

Feb 02, 2023

Ukraine CERT-UA: Compromised Email Address Used To...

An adversary was discovered using a compromised e-mail address to send phishing emails with a...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Feb 01, 2023

Ukraine Government Sector Targeted With The DolphinCape...

The government sector of Ukraine was targeted with spear-phishing emails with a malicious attachment which...

Threats Icon

Jan 31, 2023

Multiple Malware Variants Distributed Through Microsoft OneNote

Spear-phishing emails with malicious Microsoft OneNote attachments were discovered delivering variants from the AsyncRAT, Formbook¸...

Threats Icon

Jan 30, 2023

Playing Whack-a-Mole With New Dharma Ransomware Variants

The Dharma ransomware family was initially identified in 2016 and operates as a Ransomware-as-a-Service (RaaS)...

Threats Icon

Jan 29, 2023

APT15 Targets Multiple Sectors With Turian Backdoor

APT15, also known as Playful Taurus, is an advanced persistent threat (APT) that conducts a...

Threats Icon

Jan 26, 2023

Vice Society Ransomware Group Targets Manufacturing Companies

The Vice Society threat group was discovered targeting multiple sectors including manufacturing companies in Brazil....

Threats Icon

Jan 26, 2023

US Cert Alert – Alert (AA23-025A) Protecting...

Although this campaign appears financially motivated, the authoring organizations assess it could lead to additional...

Threats Icon

Jan 25, 2023

Emotet Malware Makes a Comeback with New...

The Emotet malware operation has continued to refine its tactics in an effort to fly...

Threats Icon

Jan 25, 2023

DragonSpark

The DragonSpark attacks represent the first concrete malicious activity where Analysts observe the consistent use...

Threats Icon

Jan 25, 2023

PLAY Ransomware

PLAY is simple but heavily obfuscated with a lot of unique tricks that have not...