In a troubling development, the Sandworm APT group, also referred to as APT44 or UAC-0145, has been leveraging weaponized Microsoft Key Management Service (KMS) activators to breach Windows systems in Ukraine. This campaign, which has been operational since late 2023, exploits pirated KMS tools and counterfeit Windows updates to disseminate malware, thereby exacerbating the vulnerabilities within Ukraine’s critical infrastructure.
Affiliated with Russia’s Main Intelligence Directorate (GRU), the Sandworm group has a long history of targeting Ukrainian organizations, with their activities intensifying significantly since the onset of the full-scale invasion. Their current focus remains on state bodies and essential infrastructure, raising alarms among cybersecurity experts.
Attack Chain
The attackers are deploying Trojanized KMS activators, such as “KMSAuto++x64_v1.8.4.zip,” cleverly disguised as legitimate activation tools aimed at users seeking to bypass Windows licensing. These malicious files are often disseminated through torrent sites and forums frequented by Ukrainian speakers, initiating a perilous infection chain upon execution.
The attack process commences with the deployment of BACKORDER, a loader designed to disable Windows Defender while utilizing Living Off the Land Binaries (LOLBINs) to evade detection. BACKORDER subsequently delivers the final payload, DarkCrystal RAT (DcRAT), which establishes a connection to a Command and Control (C2) server to exfiltrate sensitive data. This malware ensures persistence by creating scheduled tasks and integrating itself into legitimate system processes.
Moreover, researchers have identified a new backdoor named Kalambur, which is distributed via a typosquatted domain masquerading as a Windows Update. Kalambur downloads a repackaged TOR binary along with other tools controlled by the attackers, further complicating the threat landscape.
To counter these sophisticated threats, security teams are encouraged to employ Sigma rules and detection tools that are compatible with a variety of security analytics solutions. These tools are aligned with the MITRE ATT&CK framework and provide comprehensive metadata for threat intelligence and triage recommendations.
As the tactics employed by these attackers continue to evolve and proliferate, it is imperative for organizations to remain vigilant and leverage advanced threat detection tools to safeguard against such intricate assaults.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
