Sandworm targets Microsoft KMS Activation Tools
The Sandworm campaign!, conducted by a Russian state-sponsored threat group, has been actively using trojanized Microsoft Key Management Service (KMS) activation tools to target Ukrainian Windows users since late 2023. These malicious tools deliver a loader named BACKORDER, which generates significant activity that can be detected by security tools.
To avoid detection and gather information, BACKORDER abuses several system tools. It uses wmic to add Microsoft Defender exclusion paths and collect network adapter configuration details. It employs reg to gather information on the Microsoft Defender AntiSpyware feature state. Additionally, it uses sc query to collect details about Microsoft Defender-related services.
A notable tactic in this campaign is the use of the Dark Crystal RAT (DcRAT), a remote access tool for data exfiltration, disguised as a KMS activation tool. This malicious tool is located in the directory C:\Users\User\AppData\Roaming\kms2023\kms2023.exe, mimicking the behavior of legitimate KMS tools.
An additional copy of the malware is found in the directory C:\Users\User\AppData\Local\staticfile.exe. This location and name are suspicious and serve as a red flag for hunting down the malware. Furthermore, the malware employs a persistence mechanism using a scheduled task, ensuring it continues to run even after system reboots.
In summary, the Sandworm campaign leverages trojanized KMS tools to deploy the BACKORDER loader, which then installs the Dark Crystal RAT. The malware uses various system tools to evade detection and gather information, while also employing persistence mechanisms to maintain its presence on infected systems.
- IOCs Files "5bff08a6aa7a7541c0b7b1660fd944cec55fa82df6285166f4da7a48b81f776e" "dd7a9d8d8f550a8091c79f2fb6a7b558062e66af852a612a1885c3d122f2591b" "aadd85e88c0ebb0a3af63d241648c0670599c3365ff7e5620eb8d06902fdde83" "22c79153e0519f13b575f4bfc65a5280ff93e054099f9356a842ce3266e40c3d" "cd7c36a2f4797b9ca6e87ab44cb6c8b4da496cff29ed5bf727f0699917bae69a" "a00beaa5228a153810b65151785596bebe2f09f77851c92989f620e37c60c935" "0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6" "7c0da4e314a550a66182f13832309f7732f93be4a31d97faa6b9a0b311b463ff" "039c8dd066efa3dd7ac653689bfa07b2089ce4d8473c907547231c6dd2b136ec" "b545c5ee0498637737d4edff4b0cc672fe097a1ecfba1a08bb4d07e8affe79d3" "70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8" "2de08a0924e3091b51b4451c694570c11969fb694a493e7f4d89290ae5600c2c" "b45712acbadcd17cb35b8f8540ecc468b73cac9e31b91c8d6a84af90f10f29f8" "4b0038de82868c7196969e91a4f7e94d0fa2b5efa7a905463afc01bfca4b8221" "ed5735449a245355706fc58f4b744251f6e499833f02a972f9bd448c28467194" "d13f0641fd98df4edcf839f0d498b6b6b29fbb8f0134a6dae3d9eb577d771589" "4b9e32327067a84d356acb8494dc05851dbf06ade961789a982a5505b9e061e3" "7d92b10859cd9897d59247eb2ca6fb8ec52d8ce23a43ef99ff9d9de4605ca12b" "8cfa4f10944fc575420533b6b9bbcabbf3ae57fe60c6622883439dbb1aa60369" "d774b1d0f5bdb26e68e63dc93ba81a1cdf076524e29b4260b67542c06fbfe55c" "70cad07a082780caa130290fcbb1fd049d207777b587db6a5ee9ecf15659419f" "afc6131b17138a6132685617aa60293a40f2462dc3a810a4cf745977498e0255" "c5853083d4788a967548bee6cc81d998b0d709a240090cfed4ab530ece8b436e" "8a4df53283a363c4dd67e2bda7a430af2766a59f8a2faf341da98987fe8d7cbd" "fdc3f0516e1558cc4c9105ac23716f39a6708b8facada3a48609073a16a63c83" "1a1ffcbab9bff4a033a26e8b9a08039955ac14ac5ce1f8fb22ff481109d781a7" "48450c0a00b9d1ecce930eadbac27c3c80db73360bc099d3098c08567a59cdd3" "553f7f32c40626cbddd6435994aff8fc46862ef2ed8f705f2ad92f76e8a3af12" "a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412" "4b2e4466d1becfa40a3c65de41e5b4d2aa23324e321f727f3ba20943fd6de9e5"
IPs "5.255.122.118"