Russian Hackers Attacking Ukraine Military With Malware Via Telegram


Hackers target Telegram for malware distribution due to its security flaws and user-friendly features that facilitate file sharing.

The anonymity and large user base of Telegram further enhance its attraction to illicit activities.

SIEM as a Service

Google Threat Intelligence Group recently discovered that Russian hackers are attacking the Ukranian military with malware via Telegram.

Technical Analysis

In September 2024, Google’s Threat Intelligence Group, comprising the TAG and Mandiant, uncovered a sophisticated Russian cyber operation codenamed UNC5812 that operated through a deceptive Telegram channel “@civildefense_com_ua” and website “civildefense[.]com.ua”. 

Russian Hackers Attacking Ukraine Military With Malware Via Telegram
UNC5812’s ‘Civil Defense’ persona (Source – Google Cloud)

According to the Google Cloud report, The operation posed as a service providing software to track Ukrainian military recruiters but actually distributed malicious software (malware) targeting both Windows and Android devices. 

For Windows users, the operation deployed Pronsis Loader, a downloader written in PHP and compiled into Java Virtual Machine bytecode using JPHP, which then installed two malware variants:- 

  • SUNSPINNER (a decoy mapping application)
  • PURESTEALER (an information-stealing malware)

Android users were targeted with CRAXSRAT, a commercial backdoor malware, which required users to disable Google Play Protect for installation. 

 All-in-One Cybersecurity Platform Cynet Security delivered 426% ROI – Download TEI Report

The operation spread through promoted posts in legitimate Ukrainian Telegram channels, including a missile alerts channel with 80,000+ subscribers, and continued active promotion until at least October 8th, 2024. 

The campaign’s technical sophistication was evident in its multi-stage malware delivery system, which included social engineering tactics to convince users to disable security features and grant extensive permissions. 

Simultaneously, UNC5812 conducted an influence operation through its platform that encourages users to submit videos of “unfair actions from territorial recruitment centers” via a dedicated Telegram account (https://t[.]me/UAcivildefenseUA).

Russian Hackers Attacking Ukraine Military With Malware Via Telegram
UNC5812’s Telegram and a Russian government X account sharing the same video (Source – Google Cloud)

While all these things are done by maintaining a news section featuring “anti-mobilization content” that was later shared across pro-Russian social media networks like “Russian Embassy in South Africa’s X (formerly Twitter) account.”

The operation employs a deceptive mapping application called SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8), built using the Flutter framework, which displays fabricated locations of Ukrainian military recruits while connecting to a C2 server at h315225216.nichost[.]ru. 

For Windows systems, the attack begins with CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39) by using “Pronsis Loader” to deliver both SUNSPINNER and a secondary downloader “civildefensestarter.exe” (MD5: d36d303d2954cb4309d34c613747ce58).

This led to the installation of PURESTEALER (MD5: b3cf993d918c2c61c7138b4b8a98b6bf) which is a commercial .NET-based information stealer that harvests “browser credentials,” “cryptocurrency wallets,” and “messaging app data.” 

The Android attack vector distributes CivilDefensse.apk (MD5: 31cdae71f21e1fad7581b5f305a9d185), which contains CRAXSRAT which is a commercial Android backdoor capable of “file manipulation,” “SMS interception,” “credential theft,” and “comprehensive device monitoring.”

For operational control and data exfiltration, both types of malware keep connecting to the same backend infrastructure through “fu-laravel.onrender[.]com/api/markers.”

This is part of a planned cyber-espionage campaign aimed at Ukrainian military recruitment efforts following recent changes to Ukraine’s mobilization laws and the introduction of digital military IDs in 2024.

Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!

Indicators of Compromise

Indicators of Compromise Context
civildefense[.]com[.]ua UNC5812 landing page
t[.]me/civildefense_com_ua UNC5812 Telegram channel
t[.]me/UAcivildefenseUA UNC5812 Telegram account
e98ee33466a270edc47fdd9faf67d82e SUNSPINNER decoy
h315225216.nichost[.]ru Resolver used in SUNSPINNER decoy
fu-laravel.onrender[.]com Hostname used in SUNSPINNER decoy
206.71.149[.]194 C2 used to resolve distribution URLs
185.169.107[.]44 Open directory used for malware distribution
d36d303d2954cb4309d34c613747ce58 Pronsis Loader dropper
b3cf993d918c2c61c7138b4b8a98b6bf PURESTEALER
31cdae71f21e1fad7581b5f305a9d185 CRAXSRAT
aab597cdc5bc02f6c9d0d36ddeb7e624 CRAXSRAT w/ SUNSPINNER decoy 



Source link