September 25, 2023

Cyber experts from Ukraine discovered a new attack campaign by suspected Russian threat actors that compromise victims’ VPN accounts to access and encrypt networked resources.

The Somnia ransomware was being used by the FRwL (aka Z-Team), also identified as UAC-0118.

Initial compromise is achieved by tricking victims into downloading “Advanced IP Scanner” software which contains Vidar malware. CERTU-UA believes this was achieved by initial access brokers (IABs) working for the Russians.

Once inside, attackers conducted reconnaissance work using the Netscan tool and then launched Cobalt Strike Beacon, exfiltrating data using the Rclone program. There are also signs of the threat actors using Anydesk and Ngrok at this stage.

Advertisements

It’s unclear how widespread the campaign was, although “several” Ukrainian organizations are thought to have been impacted since spring 2022.

CERT-UA confirmed that the end goal is not to generate profits from a ransom but to destroy victim environments. The Somnia malware has also undergone changes. The first version of the program used the symmetric 3DES algorithm. In the second version, the AES algorithm is implemented.

At the same time, considering the dynamics of the key and the initialization vector, this version of Somnia, does not provide for the possibility of data decryption.

Indicators of Compromise

  • 100c5e4d5b7e468f1f16b22c05b2ff1cfaa02eafa07447c7d83e2983e42647f0
  • ac5e68c15f5094cc6efb8d25e1b2eb13d1b38b104f31e1c76ce472537d715e08
  • 99cf5c03dac82c1f4de25309a8a99dcabf964660301308a606cdb40c79d15317
  • 156965227cbeeb0e387cb83adb93ccb3225f598136a43f7f60974591c12fafcf
  • e449c28e658bafb7e32c89b07ddee36cadeddfc77f17dd1be801b134a6857aa9
  • fbed7e92caefbd74437d0970921bfd7cb724c98c90efd9b6d0c2ac377751c9e5
  • 06fe57cadb837a4e3b47589e95bb01aec1cfb7ce62fdba1f4323bb471591e1d2
  • 1e0facd62d1958ccf79e049270061a9fce3223f7986c526f6f3a93ef85180a72
  • 1f4c5ab072f384b9adfafd35903c5b54b8a3ad167250728d0d400454300a4367

Leave a Reply

%d bloggers like this: