According to MSTIC researchers, Since October 2021, ACTINIUM has targeted or compromised accounts at organisations critical to emergency response and ensuring the security of Ukrainian territory, as well as organisations that would be involved in coordinating the distribution of international and humanitarian aid to Ukraine in a crisis.

The MSTIC is sharing intelligence on a threat group known as ACTINIUM, which has been active for almost a decade and has regularly sought access to Ukrainian businesses and entities. ACTINIUM activities was previously tracked by MSTIC as DEV-0157, and the group is also known as Gamaredon.

In the last six months, MSTIC has seen ACTINIUM target government, military, non-government organisations (NGO), judiciary, law enforcement, and non-profit organisations in Ukraine, maintaining access and using acquired access to move laterally into related organisations. ACTINIUM has been discovered operating out of Crimea with cyber espionage goals.  The Russian Federal Security Service has been openly linked to this organisation by the Ukrainian government (FSB).

The attacks generally use spear-phishing emails as an initial access point, with the emails having malware-laced macro attachments that use remote templates containing dangerous code when recipients open the rigged documents.

The operators additionally include a tracking pixel-like “web bug” within the body of the phishing message to monitor if the message is opened, after which the infection chain initiates a multi-stage process that results in the deployment of various binaries such as,

  • PowerPunch – A PowerShell-based dropper and downloader used to retrieve the next-stage executables remotely
  • Pterodo – A constantly evolving feature-rich backdoor that also sports a range of capabilities intended to make analysis more difficult, and
  • QuietSieve – A heavily-obfuscated .NET binary specifically geared towards data exfiltration and reconnaissance on the target host.

This is far from the threat actor’s last attack; last month, a malware-laced résumé for an active job listing with the business posted on a local employment portal targeted an undisclosed Western government body in Ukraine. In December 2021, it also targeted the country’s State Migration Service (SMS).

The revelations come as Cisco Talos continues its investigation into the January occurrences, revealing evidence of an ongoing disinformation campaign.

Finally the researchers concluded that “while the QuietSieve malware family is primarily geared toward the exfiltration of data from the compromised host, it can also receive and execute a remote payload from the operator,” as well as its ability to take screenshots of the compromised host every five minutes.

Indicator Of Compromise

Indicator TypeComments
Jolotras[.]ruDomain nameQuietSieve, associated with multiple malware samples
Moolin[.]ruDomain nameQuietSieve, associated with multiple malware samples
0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
e4d309735f5326a193844772fc65b186fd673436efab7c6fed9eb7e3d01b6f19SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
f211e0eb49990edbb5de2bcf2f573ea6a0b6f3549e772fd16bf7cc214d924824SHA-256QuietSieve, communicates with jolotras[.]ru domain(s)
6d4b97e74abf499fa983b73a1e6957eadb2ec6a83e206fff1ab863448e4262c6SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
eb1724d14397de8f9dca4720dada0195ebb99d72427703cabcb47b174a3bfea2SHA-256 QuietSieve, communicates with moolin[.]ru domain(s)
e4d309735f5326a193844772fc65b186fd673436efab7c6fed9eb7e3d01b6f19SHA-256 QuietSieve, communicates with moolin[.]ru domain(s)
b92dcbacbaaf0a05c805d31762cd4e45c912ba940c57b982939d79731cf97217SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
b3d68268bd4bb14b6d412cef2b12ae4f2a385c36600676c1a9988cf1e9256877SHA-256 QuietSieve, communicates with moolin[.]ru domain(s)
a6867e9086a8f713a962238204a3266185de2cc3c662fba8d79f0e9b22ce8dd6SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
a01e12988448a5b26d1d1adecc2dda539b5842f6a7044f8803a52c8bb714cdb0SHA-256 QuietSieve, communicates with moolin[.]ru domain(s)
8a8c1a292eeb404407a9fe90430663a6d17767e49d52107b60bc229c090a0ae9SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
15099fc6aea1961164954033b397d773ebf4b3ef7a5567feb064329be6236a01SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
137bfe2977b719d92b87699d93c0f140d659e990b482bbc5301085003c2bd58cSHA-256QuietSieve, communicates with jolotras[.]ru domain(s)
0e5b4e578788760701630a810d1920d510015367bf90c1eab4373d0c48a921d9SHA-256QuietSieve, communicates with moolin[.]ru domain(s)
0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5SHA-256QuietSieve, communicates with moolin[.]ru domain(s)

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s