UNC5812: Russian Group āCivil Defenseā Malware Campaign
Russian Hybrid Espionage and Influence Campaign Seek to Deliver Anti-Mobilization Narratives and Compromised Ukrainian Military Recruits
In September 2024, theĀ Google Threat IntelligenceĀ Group which is made up of Mandiant and Googleās Threat Analysis Group (TAG) discoveredĀ UNC5812, a suspected Russian hybrid espionage and influence campaign that used the Telegram persona āCivil Defenseā to distribute malware for Windows and Android. According to their claims, āCivil Defenseā offers free software applications that let prospective conscripts see and share crowdsourced locations of Ukrainian military recruiters.
These apps provide the victim with a decoy mapping application it track as SUNSPINNER combined with an OS system-specific commodity malware version if they are installed with Google Play Protect turned off. UNC5812 is actively involved in influence activity, disseminating narratives, and requesting content aimed at undermining support for Ukraineās mobilization efforts, in addition to using its website and Telegram channel to distribute malware.
Both the website civildefense[.]com.ua and the actor-controlled Telegram channel @civildefense_com_ua are used by UNC5812 to distribute malware. In April 2024, the related website was registered; however, the Telegram channel was not established until early September 2024, which it believes marks the full operationalization of UNC5812ās campaign. It estimates thatĀ UNC5812Ā is probably buying promoted posts in reputable, well-established Ukrainian-language Telegram channels to direct potential victims to these actor-controlled sites.
A reputable missile alerts Telegram channel with over 80,000 followers was seen advertising the āCivil Defenseā website and channel to its members on September 18, 2024.
As recently as October 8th, another Ukrainian-language news outlet promoted Civil Defenseās articles, suggesting the campaign is likely still actively looking for new Ukrainian-language groups for focused interaction.
Channels that have pushed āCivil Defenseā posts highlight the opportunity to contact their administrations about sponsorship opportunities. It believes that to expand the operationās scope, UNC5812 is most likely approaching the appropriate legal channels through this vector.
The campaignās ultimate goal is to direct victims to the āCivil Defenseā website, which is under UNC5812ās control and promotes a number of software applications for various operating systems. These apps download different commodity malware families when they are installed.
The website provides a PHP downloader for Windows users called Pronsis Loader, which is publicly recorded and compiled into Java Virtual Machine (JVM) bytecode using the open source JPHP project. When Prosnis Loader is run, it starts a complicated malware delivery chain that eventually delivers SUNSPINNER and PURESTEALER, a commodity information stealer.
The malicious APK file aims to install a version of the commercially available Android backdoor CRAXSRAT onĀ AndroidĀ users. This payload was seen in a variety of forms, including one that had SUNSPINNER in addition to the CRAXSRAT payload.
Although support for macOS and iPhones is also advertised on the Civil Defense website, at the time of study, only Windows and Android payloads were accessible.
Notably, the Civil Defense website also uses an unusual kind of social engineering to allay user concerns about APK delivery outside of the App Store and provide justification for the high level of permissions needed to install CRAXSRAT.
In an attempt to āprotect the anonymity and securityā of its users, the websiteās FAQ offers a strained defense forĀ the Android applicationās hosting outside of the App Store, pointing users to a set of video instructions that go along with it.
After the malware is successfully installed, the Ukrainian-language video instructions show victims how to manually allow all permissions and disable Google Play Protect, a program that checks apps for malicious functionality when they are installed onĀ Android devices.
Image credit to Google Cloud
Operation of Anti-Mobilization Influence
UNC5812Ā is participating in influence operations to thwart Ukraineās broader mobilization and military recruitment initiatives in addition to its attempts to spread malware and obtain access to the devices of possible military recruits. Videos of āunfair actions from territorial recruitment centers,ā which it believes likely to be meant for follow-on exposure to support UNC5812ās anti-mobilization narratives and disparage the Ukrainian military, are actively sought out on the groupās Telegram channel by users and subscribers. An attacker-controlled https://t[.]me/UAcivildefenseUA account is used to establish a chat thread when the āSend Materialā (Ukrainian: ŠaŠ“ŃŃŠ»Š°ŃŠø Š¼Š°ŃŠµŃŃŠ°Š») button is clicked.
Additionally, there are anti-mobilization images and content in Ukrainian on the Civil Defense website, including a news section highlighting alleged instances of unfair mobilization tactics.
Cross-posted anti-mobilization propaganda on the groupās Telegram channel and website seems to come from larger pro-Russian social media networks. In at least one case, the Russian Embassy posted a video on South Africaās X account a day afterĀ UNC5812Ā shared it.
From the groupās website, civildefense[.]com[.]ua, UNC5812 runs two distinct malware delivery chains for Android and Windows devices. The parallel release of a decoy mapping program known as SUNSPINNER, which shows users a map that represents the alleged locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server, is a commonality among these several delivery chains.
The fake graphical user interface (GUI) program SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) was created with the Flutter framework and compiled for both the Windows and Android operating systems. The applicationās GUI renders the map markers that SUNSPINNER requests fromhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json, followed by a request for map markers fromĀ https://fu-laravel.onrender[.]com/api/markersĀ that are then rendered on the appās GUI.
According to the features listed on the Civil Defense website, SUNSPINNER can show crowdsourced markers that include the locations of Ukrainian military recruiters, and users can even add their own markers. Nevertheless, the presented map does not seem to contain any authentic user inputs, even though it has the minimal functionality needed for people to register and add markers. The same user added every marker found in the JSON file extracted from SUNSPINNERās C2 infrastructure on the same day.
Pronsis Loader to PURESTEALER in Windows
CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39), the Windows payload obtained from the Civil Defense website, is a customized version of Pronsis Loader, a newly identified commodity malware that is largely being used by threat actors with financial motivations.
The second-stage downloader ācivildefensestarter.exeā (MD5: d36d303d2954cb4309d34c613747ce58) and the decoy SUNSPINNER binary are both retrieved by Pronsis Loader. This starts a multi-stage delivery chain that uses a series of self-extracting archives and finally runs PURESTEALER on the victim device. The open-source JPHP project is used to compile the PHP-written second-stage downloader into Java Virtual Machine (JVM) bytecode, which is subsequently created as a Windows executable file. The CivilDefense installer runs this file automatically.
PURESTEALER is the last payload (MD5: b3cf993d918c2c61c7138b4b8a98b6bf), a highly disguised commodity infostealer built in.NET, is intended to steal cryptocurrency wallets, chat apps, email clients, and browser data like passwords and cookies. āPure Coder Teamā is the company that sells PURESTEALER. Monthly subscriptions cost $150, while lifetime licenses cost $699.
A variation of the commercially available Android backdoor CRAXSRAT is the Android Package (APK) file āCivilDefensse.apkā (MD5: 31cdae71f21e1fad7581b5f305a9d185) that was downloaded from the Civil Defense website. File management, SMS management, contact and credential harvesting, and a number of location, audio, and keystroke monitoring features are all features that CRAXSRAT offers that are common to a conventional Android backdoor. It is also sold on underground forums, just like PURESTEALER.
At the time of investigation, the Android sample that was being circulated merely showed a splash screen with the āCivil Defenseā logo. Nevertheless, it was discovered that the identical SUNSPINNER decoy application was present in another identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) as it was in the Windows delivery chain. This version downloads the CRAXSRAT payload from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk after requesting the userās Android REQUEST_INSTALL_PACKAGES permission.
Google also keeps an eye out forĀ AndroidĀ spyware, and it implements and maintains Google Play Protectās safeguards both inside and outside of Google Play, scanning devices for potentially dangerous apps from any source. Notably, the Civil Defense website ofĀ UNC5812Ā had social engineering content and comprehensive video instructions that directly instructed the intended user to disable Google Play Protect and manually activate the Android permissions needed for CRAXSRAT to operate. By alerting users before they access risky websites, Safe Browsing also protects Chrome users on Android. Google Play is protected by app scanning infrastructure, which also enables Verify Apps to further secure consumers who install apps from sources other than Google Play.
The national authorities of Ukraine have also been informed of its discoveries, and they have taken steps to limit the campaignās reach by preventing the actor-controlled āCivil Defenseā website from being resolved nationwide.
Following modifications to Ukraineās national mobilization rules in 2024, Russian threat actors have increased their operational involvement in Ukraine, as seen by UNC5812ās hybrid espionage and information operation targeting prospective Ukrainian military recruits. The introduction of Ukraineās national digital military ID, which is designed to handle the information of people due for military duty and increase recruitment, has specifically led to an increase in the targeting of prospective military recruits. It also continues to see consistent efforts by pro-Russian influence actors to spread messaging that undermines Ukraineās mobilization drive and sows popular mistrust in the officials conducting it, in line with studies from EUvsDisinfo.
From a tradecraft standpoint,Ā UNC5812ās campaign exemplifies Russiaās focus on using its cyber capabilities to achieve cognitive effect and emphasizes the significant role messaging apps continue to play in the spread of malware and other cyber aspects of Russiaās war in Ukraine. It concludes that Telegram will very certainly continue to be a major conduit for cyber-enabled activity for a variety of Russian-affiliated espionage and influence operations as long as it remains a vital information source during the conflict.
Read more on Govindhtech.com
