In early March, Google’s Threat Analysis Group (TAG) published an update on the cyber activity it was tracking with regard to the war in Ukraine. Since our last update, TAG has observed a continuously growing number of threat actors using the war as a lure in phishing and malware campaigns. Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links.

Financially motivated and criminal actors are also using current events as a means for targeting users. For example, one actor is impersonating military personnel to extort money for rescuing relatives in Ukraine. TAG has also continued to observe multiple ransomware brokers continuing to operate in a business as usual sense.

As always, we continue to publish details surrounding the actions we take against coordinated influence operations in our quarterly TAG bulletin. We promptly identify and remove any such content, but have not observed any significant shifts from the normal levels of activity that occur in the region.

Here is a deeper look at the campaign activity TAG has observed over the past two weeks:

Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. While this activity largely does not impact Google products, we remain engaged and are providing notifications to victim organizations.

Recently observed IPs used in Curious Gorge campaigns:

• 5.188.108[.]119
• 91.216.190[.]58
• 103.27.186[.]23
• 114.249.31[.]171
• 45.154.12[.]167

COLDRIVER, a Russian-based threat actor sometimes referred to as Calisto, has launched credential phishing campaigns, targeting several US based NGOs and think tanks, the military of a Balkans country, and a Ukraine based defense contractor. However, for the first time, TAG has observed COLDRIVER campaigns targeting the military of multiple Eastern European countries, as well as a NATO Centre of Excellence. These campaigns were sent using newly created Gmail accounts to non-Google accounts, so the success rate of these campaigns is unknown. We have not observed any Gmail accounts successfully compromised during these campaigns.

Recently observed COLDRIVER credential phishing domains:

• protect-link[.]online
• drive-share[.]live
• protection-office[.]live
• proton-viewer[.]com

Ghostwriter, a Belarusian threat actor, recently introduced a new capability into their credential phishing campaigns. In mid-March, a security researcher released a blog post detailing a 'Browser in the Browser' phishing technique. While TAG has previously observed this technique being used by multiple government-backed actors, the media picked up on this blog post, publishing several stories highlighting this phishing capability.

Ghostwriter actors have quickly adopted this new technique, combining it with a previously observed technique, hosting credential phishing landing pages on compromised sites. The new technique, displayed below, draws a login page that appears to be on the passport.i.ua domain, overtop of the page hosted on the compromised site. Once a user provides credentials in the dialog, they are posted to an attacker controlled domain.

Recently observed Ghostwriter credential phishing domains:

• login-verification[.]top
• login-verify[.]top
• ua-login[.]top
• secure-ua[.]space
• secure-ua[.]top

The team continues to work around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information. We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. While we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

On February 10, Threat Analysis Group discovered two distinct North Korean government-backed attacker groups exploiting a remote code execution vulnerability in Chrome, CVE-2022-0609. These groups' activity has been publicly tracked as Operation Dream Job and Operation AppleJeus.

We observed the campaigns targeting U.S. based organizations spanning news media, IT, cryptocurrency and fintech industries. However, other organizations and countries may have been targeted. One of the campaigns has direct infrastructure overlap with a campaign targeting security researchers which we reported on last year. The exploit was patched on February 14, 2022. The earliest evidence we have of this exploit kit being actively deployed is January 4, 2022.

We suspect that these groups work for the same entity with a shared supply chain, hence the use of the same exploit kit, but each operate with a different mission set and deploy different techniques. It is possible that other North Korean government-backed attackers have access to the same exploit kit.

In this blog, we will walk through the observed tactics, techniques and procedures, share relevant IOCs and analyze the exploit kit used by the attackers. In line with our current disclosure policy, we are providing these details 30 days after the patch release.

Campaign targeting news media and IT companies

The campaign, consistent with Operation Dream Job, targeted over 250 individuals working for 10 different news media, domain registrars, web hosting providers and software vendors. The targets received emails claiming to come from recruiters at Disney, Google and Oracle with fake potential job opportunities. The emails contained links spoofing legitimate job hunting websites like Indeed and ZipRecruiter.

Victims who clicked on the links would be served a hidden iframe that would trigger the exploit kit.

Attacker-Owned Fake Job Domains:

• disneycareers[.]net
• find-dreamjob[.]com
• indeedus[.]org
• varietyjob[.]com
• ziprecruiters[.]org

Exploitation URLs:

• https[:]//colasprint[.]com/about/about.asp (legitimate but compromised website)
• https[:]//varietyjob[.]com/sitemap/sitemap.asp

Campaign targeting cryptocurrency and Fintech organizations

Another North Korean group, whose activity has been publicly tracked as Operation AppleJeus, targeted over 85 users in cryptocurrency and fintech industries leveraging the same exploit kit. This included compromising at least two legitimate fintech company websites and hosting hidden iframes to serve the exploit kit to visitors. In other cases, we observed fake websites — already set up to distribute trojanized cryptocurrency applications — hosting iframes and pointing their visitors to the exploit kit.

Attacker-Owned Websites:

• blockchainnews[.]vip
• chainnews-star[.]com
• financialtimes365[.]com
• fireblocks[.]vip
• gatexpiring[.]com
• gbclabs[.]com
• giantblock[.]org
• humingbot[.]io
• onlynova[.]org
• teenbeanjs[.]com

Compromised Websites (Feb 7 - Feb 9):

• www.options-it[.]com
• www.tradingtechnologies[.]com

Exploitation URLs:

• https[:]//financialtimes365[.]com/user/finance.asp
• https[:]//gatexpiring[.]com/gate/index.asp
• https[:]//humingbot[.]io/cdn/js.asp
• https[:]//teenbeanjs[.]com/cloud/javascript.asp

Exploit kit overview

The attackers made use of an exploit kit that contained multiple stages and components in order to exploit targeted users. The attackers placed links to the exploit kit within hidden iframes, which they embedded on both websites they owned as well as some websites they compromised.

The kit initially serves some heavily obfuscated javascript used to fingerprint the target system. This script collected all available client information such as the user-agent, resolution, etc. and then sent it back to the exploitation server. If a set of unknown requirements were met, the client would be served a Chrome RCE exploit and some additional javascript. If the RCE was successful, the javascript would request the next stage referenced within the script as “SBX”, a common acronym for Sandbox Escape. We unfortunately were unable to recover any of the stages that followed the initial RCE.

Careful to protect their exploits, the attackers deployed multiple safeguards to make it difficult for security teams to recover any of the stages. These safeguards included:

• Only serving the iframe at specific times, presumably when they knew an intended target would be visiting the site.
• In some email campaigns the targets received links with unique IDs. This was potentially used to enforce a one-time-click policy for each link and allow the exploit kit to only be served once.
• The exploit kit would AES encrypt each stage, including the clients’ responses with a session-specific key.
• Additional stages were not served if the previous stage failed.

Although we recovered a Chrome RCE, we also found evidence where the attackers specifically checked for visitors using Safari on MacOS or Firefox (on any OS), and directed them to specific links on known exploitation servers. We did not recover any responses from those URLs.

Example Exploit Kit:

• 03a41d29e3c9763093aca13f1cc8bcc41b201a6839c381aaaccf891204335685

The attackers made multiple attempts to use the exploit days after the vulnerability was patched on February 14, which stresses the importance of applying security updates as they become available.

Protecting Our Users

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also sent all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity. We encourage any potential targets to enable Enhanced Safe Browsing for Chrome and ensure that all devices are updated.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from these activities. We hope that improved understanding of the tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

• customizing the initial “business proposal” templates when first reaching out to a targeted organization;
• handling further communications in order to gain affinity and trust;
• uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

• 23.81.246[.]187:443

In early September 2021, Threat Analysis Group (TAG) observed a financially motivated threat actor we refer to as EXOTIC LILY, exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigating this group's activity, we determined they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike).

Initial access brokers are the opportunistic locksmiths of the security world, and it’s a full-time job. These groups specialize in breaching a target in order to open the doors—or the Windows—to the malicious actor with the highest bid.

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. At the peak of EXOTIC LILY’s activity, we estimate they were sending more than 5,000 emails a day, to as many as 650 targeted organizations globally. Up until November 2021, the group seemed to be targeting specific industries such as IT, cybersecurity and healthcare, but as of late we have seen them attacking a wide variety of organizations and industries, with less specific focus.

We have observed this threat actor deploying tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Spoofing Organizations and Identities

EXOTIC LILY’s attack chain has remained relatively consistent throughout the time we’ve been tracking the group:

One notable technique is the use of domain and identity spoofing as a way of gaining additional credibility with a targeted organization. In the majority of cases, a spoofed domain name was identical to a real domain name of an existing organization, with the only difference being a change of TLD to “.us”, “.co” or “.biz”.

Initially, the group would create entirely fake personas posing as employees of a real company. That would sometimes consist of creating social media profiles, personal websites and generating a fake profile picture using a public service to create an AI-generated human face. In November 2021, the group began to impersonate real company employees by copying their personal data from social media and business databases such as RocketReach and CrunchBase.

Using spoofed email accounts, attackers would then send spear phishing emails under the pretext of a business proposal, such as seeking to outsource a software development project or an information security service.

Attackers would sometimes engage in further communication with the target by attempting to schedule a meeting to discuss the project's design or requirements.

At the final stage, the attacker would upload the payload to a public file-sharing service (TransferNow, TransferXL, WeTransfer or OneDrive) and then use a built-in email notification feature to share the file with the target, allowing the final email to originate from the email address of a legitimate file-sharing service and not the attacker’s email, which presents additional detection challenges.

Human-Operated Phishing at Scale

Further evidence suggests an operator’s responsibilities might include:

• customizing the initial “business proposal” templates when first reaching out to a targeted organization;
• handling further communications in order to gain affinity and trust;
• uploading malware (acquired from another group) to a file-sharing service prior to sharing it with the target.

A breakdown of the actor’s communication activity shows the operators are working a fairly typical 9-to-5 job, with very little activity during the weekends. Distribution of the actor’s working hours suggest they might be working from a Central or an Eastern Europe timezone.

Malware and Attribution

Although the group came to our attention initially due to its use of documents containing an exploit for CVE-2021-40444, they later switched to the delivery of ISO files with hidden BazarLoader DLLs and LNK shortcuts. These samples have some indicators that suggest they were custom-built to be used by the group. For example, metadata embedded in the LNK shortcuts shows that a number of fields, such as the “Machine Identifier” and “Drive Serial Number” were shared with BazarLoader ISOs distributed via other means, however other fields such as the command line arguments were unique for samples distributed by EXOTIC LILY.

In March, the group continued delivering ISO files, but with a DLL containing a custom loader which is a more advanced variant of a first-stage payload previously seen during CVE-2021-40444 exploitation. The loader can be recognized by its use of a unique user-agent “bumblebee” which both variants share. The malware, hence dubbed BUMBLEBEE, uses WMI to collect various system details such as OS version, user name and domain name, which are then exfiltrated in JSON format to a C2. In response, it expects to receive one of the several supported “tasks”, which include execution of shellcode, dropping and running executable files. At the time of the analysis, BUMBLEBEE was observed to fetch Cobalt Strike payloads.

EXOTIC LILY activities overlap with a group tracked as DEV-0413 (Microsoft) and were also described by Abnormal in their recent post. Earlier reports of attacks exploiting CVE-2021-40444 (by Microsoft and other members of the security community) have also indicated overlaps between domains involved in the delivery chain of an exploit and infrastructure used for BazarLoader and Trickbot distribution.

We believe the shift to deliver BazarLoader, along with some other indicators such as a unique Cobalt Strike profile (described by RiskIQ) further confirms the existence of a relationship between EXOTIC LILY and actions of a Russian cyber crime group tracked as WIZARD SPIDER (CrowdStrike), FIN12 (Mandiant, FireEye) and DEV-0193 (Microsoft). While the nature of those relationships remains unclear, EXOTIC LILY seems to operate as a separate entity, focusing on acquiring initial access through email campaigns, with follow-up activities that include deployment of Conti and Diavol ransomware, which are performed by a different set of actors.

Improving User Protection

As part of our efforts to combat serious threat actors, we use results of our research to improve the safety and security of our products. In collaboration with Gmail and Safe Browsing, we are improving protections by adding additional warnings for emails originating from website contact forms, better identification of spoofing, and adjusting the reputation of email file sharing notifications. Additionally, we’re working with Google’s CyberCrime Investigation Group to share relevant details and indicators with law enforcement.

TAG is committed to sharing our findings as a way of raising awareness with the security community, and with companies and individuals that might have been targeted or suffered from this threat actor’s activities. We hope that improved understanding of the group’s tactics and techniques will enhance threat hunting capability and lead to stronger user protections across industry.

Indicators of Compromise (IOCs)

Recent domains used in email campaigns:

• conlfex[.]com
• avrobio[.]co
• elemblo[.]com
• phxmfg[.]co
• modernmeadow[.]co
• lsoplexis[.]com
• craneveyor[.]us
• faustel[.]us
• lagauge[.]us
• missionbio[.]us
• richllndmetals[.]com
• kvnational[.]us
• prmflltration[.]com
• brightlnsight[.]co
• belcolnd[.]com
• awsblopharma[.]com
• amevida[.]us
• revergy[.]us
• al-ghurair[.]us
• opontia[.]us

BazarLoader ISO samples:

• 5ceb28316f29c3912332065eeaaebf59f10d79cd9388ef2a7802b9bb80d797be
• 9fdec91231fe3a709c8d4ec39e25ce8c55282167c561b14917b52701494ac269
• c896ee848586dd0c61c2a821a03192a5efef1b4b4e03b48aba18eedab1b864f7

Recent BUMBLEBEE ISO samples:

• 9eacade8174f008c48ea57d43068dbce3d91093603db0511467c18252f60de32
• 6214e19836c0c3c4bc94e23d6391c45ad87fdd890f6cbd3ab078650455c31dc8
• 201c4d0070552d9dc06b76ee55479fc0a9dfacb6dbec6bbec5265e04644eebc9
• 1fd5326034792c0f0fb00be77629a10ac9162b2f473f96072397a5d639da45dd
• 01cc151149b5bf974449b00de08ce7dbf5eca77f55edd00982a959e48d017225

Recent BUMBLEBEE C2:

• 23.81.246[.]187:443

Online security is extremely important for people in Ukraine and the surrounding region right now. Government agencies, independent newspapers and public service providers need it to function and individuals need to communicate safely. Google’s Threat Analysis Group (TAG) has been working around the clock, focusing on the safety and security of our users and the platforms that help them access and share important information.

This work continues our longstanding efforts to take action against threat actors in this region. In the last 12 months, TAG has issued hundreds of government-backed attack warnings to Ukrainian users alerting them that they have been the target of government backed hacking, largely emanating from Russia.

Over the past two weeks, TAG has observed activity from a range of threat actors that we regularly monitor and are well-known to law enforcement, including FancyBear and Ghostwriter. This activity ranges from espionage to phishing campaigns. We’re sharing this information to help raise awareness among the security community and high risk users:

FancyBear/APT28, a threat actor attributed to Russia GRU, has conducted several large credential phishing campaigns targeting ukr.net users, UkrNet is a Ukrainian media company. The phishing emails are sent from a large number of compromised accounts (non-Gmail/Google), and include links to attacker controlled domains.

In two recent campaigns, the attackers used newly created Blogspot domains as the initial landing page, which then redirected targets to credential phishing pages. All known attacker-controlled Blogspot domains have been taken down.

Example credential phishing domains observed during these campaigns:

• id-unconfirmeduser[.]frge[.]io
• hatdfg-rhgreh684[.]frge[.]io
• ua-consumerpanel[.]frge[.]io
• consumerspanel[.]frge[.]io

Ghostwriter/UNC1151, a Belarusian threat actor, has conducted credential phishing campaigns over the past week against Polish and Ukrainian government and military organizations. TAG has also identified campaigns targeting webmail users from the following providers:

• i.ua
• meta.ua
• rambler.ru
• ukr.net
• wp.pl
• yandex.ru

Example credential phishing domains observed during these campaigns:

• accounts[.]secure-ua[.]website
• i[.]ua-passport[.]top
• login[.]creditals-email[.]space
• post[.]mil-gov[.]space
• verify[.]rambler-profile[.]site

These phishing domains have been blocked through Google Safe Browsing – a service that identifies unsafe websites across the web and notifies users and website owners of potential harm.

Mustang Panda or Temp.Hex, a China-based threat actor, targeted European entities with lures related to the Ukrainian invasion. TAG identified malicious attachments with file names such as 'Situation at the EU borders with Ukraine.zip'. Contained within the zip file is an executable of the same name that is a basic downloader and when executed, downloads several additional files that load the final payload. To mitigate harm, TAG alerted relevant authorities of its findings.

Targeting of European organizations has represented a shift from Mustang Panda’s regularly observed Southeast Asian targets.

DDoS Attacks

We continue to see DDoS attempts against numerous Ukraine sites, including the Ministry of Foreign Affairs, Ministry of Internal Affairs, as well as services like Liveuamap that are designed to help people find information. We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need.

Project Shield allows Google to absorb the bad traffic in a DDoS attack and act as a “shield” for websites, allowing them to continue operating and defend against these attacks. As of today, over 150 websites in Ukraine, including many news organizations, are using the service. We encourage all eligible organizationsto register for Project Shield so our systems can help block these attacks and keep websites online.

We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks. And while we are actively monitoring activity related to Ukraine and Russia, we continue to be just as vigilant in relation to other threat actors globally, to ensure that they do not take advantage of everyone’s focus on this region.

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2022. It was last updated on February 28, 2022.

January

• We terminated 3 YouTube channels as part of our investigation into coordinated influence operations. The campaign uploaded content in Arabic that was critical of former Sudanese president Omar al-Bashir and supportive of the 2019 Sudanese coup d’état. Our findings are similar to findings reported by Meta.
• We terminated 1 AdSense account and 1 Play developer as part of our investigation into coordinated influence operations linked to Turkey. The campaign was sharing content in Arabic that was about news and current events in Libya. Our findings are similar to findings reported by Meta.
• We terminated 42 YouTube channels and 2 Ads accounts as part of our investigation into coordinated influence operations linked to Iraq. The campaign uploaded content in Arabic that was in support of the Iraqi Harakat Hoquq party. We received leads from Mandiant that supported us in this investigation.
• We terminated 4 YouTube channels, 2 AdSense accounts, and 1 Blogger blog and blocked 6 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into reported coordinated influence operations linked to Belarus, Moldova, and Ukraine. The campaign was sharing content in English that was about a variety of topics including US and European current events. We believe this operation was financially motivated.
• We terminated 4361 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China and U.S. foreign affairs. These findings are consistent with our previous reports

Google TAG actively monitors threat actors and the evolution of their tactics and techniques. We use our research to continuously improve the safety and security of our products and share this intelligence with the community to benefit the internet as a whole.

As announced today, Google has taken action to disrupt the operations of Glupteba, a multi-component botnet targeting Windows computers. We believe this action will have a significant impact on Glupteba's operations. However, the operators of Glupteba are likely to attempt to regain control of the botnet using a backup command and control mechanism that uses data encoded on the Bitcoin blockchain.

Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil and Southeast Asia.

The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS). For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.

While analyzing Glupteba binaries, our team identified a few containing a git repository URL: “git.voltronwork.com”. This finding sparked an investigation that led us to identify, with high confidence, multiple online services offered by the individuals operating the Glupteba botnet. These services include selling access to virtual machines loaded with stolen credentials (dont[.]farm), proxy access (awmproxy), and selling credit card numbers (extracard) to be used for other malicious activities such as serving malicious ads and payment fraud on Google Ads.

This past year, TAG has been collaborating with Google’s CyberCrime Investigation Group to disrupt Glupteba activity involving Google services. We’ve terminated around 63M Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with their distribution. Furthermore, 3.5M users were warned before downloading a malicious file through Google Safe Browsing warnings.

In the last few days, our team partnered with Internet infrastructure providers and hosting providers, including CloudFlare, to disrupt Glupteba’s operation by taking down servers and placing warning interstitial pages in front of the malicious domain names. During this time, an additional 130 Google accounts associated with this operation were terminated.

Parallel to the analysis, tracking, and technical disruption of this botnet, Google has filed a lawsuit against two individuals believed to be located in Russia for operating the Glupteba Botnet and its various criminal schemes. Google is alleging violations under the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, the Electronic Communications Privacy Act, the Lanham Act, and tortious interference of business relationships, and unjust enrichment.

While these actions may not completely stop Glupteba, TAG estimates that combined efforts will materially affect the actor’s ability to conduct future operations.

Glupteba’s C2 Backup Mechanism

The command and control (C2) communication for this botnet uses HTTPS to communicate commands and binary updates between the control servers and infected systems. To add resilience to their infrastructure, the operators have also implemented a backup mechanism using the Bitcoin blockchain. In the event that the main C2 servers do not respond, the infected systems can retrieve backup domains encrypted in the latest transaction from the following bitcoin wallet addresses:

• '1CgPCp3E9399ZFodMnTSSvaf5TpGiym2N1' [1]
• '15y7dskU5TqNHXRtu5wzBpXdY5mT4RZNC6’ [2]
• '1CUhaTe3AiP9Tdr4B6wedoe9vNsymLiD97' [3]

The following 32 byte AES keys for decryption are hard coded in the binaries:

• 'd8727a0e9da3e98b2e4e14ce5a6cf33ef26c6231562a3393ca465629d66503cf'
• ‘1bd83f6ed9bb578502bfbb70dd150d286716e38f7eb293152a554460e9223536’

The blockchain transaction’s OP_RETURN data can be decrypted using AES-256 GCM to provide a backup command and control domain name. The first 12 bytes of the OP_RETURN contains the IV, the last 16 bytes the GCM tag, while the middle section is the AES-256 GCM encrypted domain. Full details of Glupteba’s network protocol can be found in this report from 2020, the following Python script illustrates how one can decrypt an encrypted domain name:

IOCs

Recent domains used for command and control:

• nisdably[.]com
• runmodes[.]com
• yturu[.]com
• retoti[.]com
• trumops[.]com
• evocterm[.]com
• iceanedy[.]com
• ninhaine[.]com
• anuanage[.]info

Recent sha256 hashes of malware samples:

• df84d3e83b4105f9178e518ca69e1a2ec3116d3223003857d892b8a6f64b05ba
• eae4968682064af4ae6caa7fff78954755537a348dce77998e52434ccf9258a2
• a2fd759ee5c470da57d8348985dc34348ccaff3a8b1f5fa4a87e549970eeb406
• d8a54d4b9035c95b8178d25df0c8012cf0eedc118089001ac21b8803bb8311f4
• c3f257224049584bd80a37c5c22994e2f6facace7f7fb5c848a86be03b578ee8
• 8632d2ac6e01b6e47f8168b8774a2c9b5fafaa2470d4e780f46b20422bc13047
• 03d2771d83c50cc5cdcbf530f81cffc918b71111b1492ccfdcefb355fb62e025
• e673ce1112ee159960f1b7fed124c108b218d6e5aacbcb76f93d29d61bd820ed
• 8ef882a44344497ef5b784965b36272a27f8eabbcbcea90274518870b13007a0
• 79616f9be5b583cefc8a48142f11ae8caf737be07306e196a83bb0c3537ccb3e
• db84d13d7dbba245736c9a74fc41a64e6bd66a16c1b44055bd0447d2ae30b614

This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q4 2021. It was last updated on December 2, 2021.

October

• We terminated 9 YouTube channels and 1 ads account as part of our investigation into coordinated influence operations linked to Vietnam. The campaign uploaded conspiracy theory content in English and Korean. We believe this operation was financially motivated
• We terminated 4 AdSense accounts and blocked 22 domains from eligibility to appear on Google News surfaces and Discover as part of our investigation into a reported coordinated influence operation linked to India. The campaign uploaded a variety of news content in English to domains that were designed to look as if they were independent news outlets in various US states and European countries. We believe this operation was financially motivated. We received leads from the FBI that supported us in this investigation.
• We terminated 37 YouTube channels and 4 blogs as part of our investigation into coordinated influence operations linked to Sudan. The campaign uploaded content in Arabic that was supportive of the Sudanese military. Our findings are similar to findings reported by Facebook.
• We terminated 3 YouTube channels as part of our investigation into coordinated influence operations linked to Uganda. The campaign uploaded content in English that was critical of Ugandan opposition political parties. Our findings are similar to findings reported by Twitter.
• We terminated 3,311 YouTube channels as part of our ongoing investigation into coordinated influence operations linked to China. These channels mostly uploaded spammy content in Chinese about music, entertainment, and lifestyle. A very small subset uploaded content in Chinese and English about China’s COVID-19 vaccine efforts and social issues in the U.S. These findings are consistent with our previous reports.