Russian military hackers have ramped up their attacks on Ukrainian systems with a sophisticated malware campaign that exploits pirated software. Researchers from EclecticIQ have linked the new wave of attacks to the Sandworm threat actors, which has targeted Windows users in Ukraine with trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates.
The attacks, which likely began in late 2023, have been tied to Sandworm hackers due to overlapping infrastructure, consistent Tactics, Techniques, and Procedures (TTPs), and the use of ProtonMail accounts to register malicious domains.
Sandworm, also tracked as UAC-0113, APT44, and Seashell Blizzard, has been active since at least 2009. The group is part of the Russian military’s Main Intelligence Directorate (GRU), specifically Military Unit 74455.
The main objective of the attacks appears to be large-scale espionage, data theft, and network compromise.
EclecticIQ’s investigation revealed that the attackers utilized a BACKORDER loader to deploy DarkCrystal RAT (DcRAT), a remote access Trojan (RAT) previously used in Sandworm’s past operations. The malware is delivered through seemingly harmless tools like fake KMS activation tools, which trick users into thinking they are activating their Windows software. Once executed, the tools disable Windows Defender and install the malicious loader in the background.
The final payload is the DcRAT malware, capable of pilfering sensitive data from the infected system. The malware is capable of logging keystrokes, capturing browser cookies and history, exfiltrating saved credentials, FTP credentials, and taking screenshots. The stolen data is then sent to servers controlled by the attackers, allowing them to harvest valuable information.
“Many users, including businesses and critical entities, have turned to pirated software from untrusted sources, giving adversaries like Sandworm a prime opportunity to embed malware in widely used programs,” noted EclecticIQ in the report.
