Operation Oxidový: Czech Military Targeted by NATO-Themed Malware Campaign
a sophisticated malware campaign targeting the Czech Republic's government and military officials. Known as "Operation Oxidový," the campaign leverages NATO-themed decoys to infiltrate and compromise sensitive systems.
Introduction
On August 28, 2024, Seqrite Labs' APT team uncovered a sophisticated malware campaign targeting the Czech Republic's government and military officials. Known as "Operation Oxidový," the campaign leverages NATO-themed decoys to infiltrate and compromise sensitive systems. The attack employs a combination of malicious LNK files, batch scripts, and advanced post-exploitation frameworks, highlighting the increasing threat of state-sponsored cyber operations in Eastern Europe.
Report Overview
Operation Oxidový was first identified when a malicious ZIP file surfaced on platforms like VirusTotal. This ZIP file contained NATO-themed decoys, likely designed to exploit the Czech Republic's political and military ties with NATO. The campaign is a well-coordinated effort to penetrate key government sectors. It begins with distributing a ZIP file that includes a deceptive LNK file titled "The importance of and outlook for the Czech Republic in NATO.pdf.lnk." This file serves as the entry point for the malware, executing a batch script that triggers a series of malicious activities.
The initial infection vector involves the execution of the LNK file, which runs a batch script named "AdobeAcrobatReader.bat." This script is responsible for deploying a decoy PDF document titled "Postup_zmeny_hesla_z_IMO.pdf," which misleadingly instructs the user on changing passwords within a military network. Additionally, the script renames a hidden executable file, disguising it as "AdobeReader.exe," and places it in the startup folder to ensure persistence. To further conceal the malicious activity, the script modifies file attributes, making the LNK file and associated payloads less detectable to the user.
The second stage of the attack introduces a Rust-based loader known as Freeze, which threat actors have repurposed for this campaign. Originally developed for red-team exercises, Freeze disables Event Tracing for Windows (ETW) to evade detection by security tools. It also injects the decrypted shellcode into a suspended notepad.exe process and deploys a malicious DLL payload identified as part of the Havoc framework. This payload is critical in establishing a foothold within the targeted system.
In the final stage, the operation deploys the Havoc Demon. This post-exploitation payload connects to a Command-and-Control (C2) server. The Demon executes command dispatching, system information gathering, and sophisticated obfuscation techniques to evade detection. This stage demonstrates the campaign's advanced capabilities and the potential for significant damage to targeted systems.
Operation Oxidový poses significant risks to the Czech Republic's national security. By targeting government and military officials, the attackers aim to gain unauthorized access to sensitive information and disrupt the country's strategic operations. Advanced tools like Freeze and Havoc suggest a high level of sophistication, indicative of a state-sponsored actor. Given the geopolitical tensions in the region, this attack is likely part of a broader effort to destabilize NATO's influence in Eastern Europe.
Insights and Analysis
Security researchers at Seqrite Labs have linked Operation Oxidový to a potential Russian threat actor, citing the use of advanced offensive tooling and the geopolitical context of the attack. While the evidence points towards a state-sponsored operation, the attribution remains with medium confidence due to the limited direct evidence available. This campaign aligns with known Russian cyber tactics, particularly in targeting Eastern European countries with politically sensitive operations.
Organizations should implement robust security measures to mitigate the threat posed by Operation Oxidový. Enhanced email filtering mechanisms can help detect and block malicious attachments before they reach end-users. Regular security audits are essential to identify and remediate vulnerabilities in critical systems that similar campaigns could exploit. Additionally, educating employees on the risks of phishing and spear-phishing attacks, emphasizing verifying the authenticity of email attachments, is crucial in reducing the likelihood of successful attacks.
Operation Oxidový underscores the persistent and evolving nature of cyber threats facing government and military entities. The attackers' use of NATO-themed lures and sophisticated malware highlights their capability to execute targeted and highly effective campaigns. As cyber threats continue to grow in complexity, organizations must remain vigilant and proactive in their defence strategies.
Indicators of Compromise (IOCs)
| Indicator | Type | Description |
|---|---|---|
| 9549d3d2b8e8b4e8f163a8b9fa3b02b8a28d78e4b583baccb6210ef267559c6e | SHA-256 Hash | Associated with the malicious ZIP file “CZ_army_NATO_cooperation.zip” |
| 436994d4a5c8d54acb2b521d0847d77e6af6c2c0e40468248b1dd019c6dafa84 | SHA-256 Hash | Linked to the LNK file “The importance of and outlook for the Czech Republic in NATO.pdf.lnk” |
| ace33243994a9da0797601bdd4191e25967a1da2644f0d0b530e26c71854d5d9 | SHA-256 Hash | Related to the batch script “AdobeAcrobatReader.bat” |
| a05d053174b52a9b158a5ec841c1a7633b9368c4ac2da371a11a9364f8a8dc60 | SHA-256 Hash | Connected to the masqueraded PDF file “NatoDoc.pdf” |
| 1dbcade04333b9dc81ba0746bc604d12489da49b9b65fcb5b1f61d139dc5949c | SHA-256 Hash | Linked to the executable “vihu.exe” |
| 38da8d1576bdd0a03e649e8e6543594b35a423aa5b0a0c4081fc477c8e487e09 | SHA-256 Hash | Linked to the executable “gnobya.exe” |
| b29ed89e0428ba476459adabb5630c8d29f7fee5905c5de10d792fe3a02e52a6 | SHA-256 Hash | Associated with the malicious DLL file “x64.demon.dll” |
| 6e0d12cd0252599fd1dec7aa460cae7a12a1b2e322b6664e64c773c23627d1b4 | SHA-256 Hash | Another hash related to “x64.demon.dll” |
| ed6775184051ef36c3049e24167471ab42bd4301e99631c8423d4d753cdad455 | SHA-256 Hash | Related to the file “Inter-Regular.woff” |
| C:\TOOL\Freeze.rs-main\target\release\vihu\target\release\deps\vihu.pdb | PDB Path | PDB path linked to the Freeze loader variant “vihu.exe” |
| C:\TOOL\Freeze.rs-main\target\release\gnobya\target\release\deps\gnobya.pdb | PDB Path | PDB path linked to the Freeze loader variant “gnobya.exe” |
| C:\TOOL\Freeze.rs-main\target\release\AdobeReader\target\release\deps\AdobeReader.pdb | PDB Path | PDB path linked to the Freeze loader variant “AdobeReader.exe” |
| hxxps://206.188.197.113/ | IP Address | Command-and-Control server IP address |
| hxxps://195.123.225.88/ | IP Address | Command-and-Control server IP address |
| fda71a7de6d473826465bb83210107501e66a5d96e533772444b3b24806286fd | SHA-256 Hash | Linked to the lure document “The importance of and outlook for the Czech Republic in NATO.pdf” |
| 8820e0c249305ffa3d38e72a7f27c0e2195bc739d08f5d270884be6237eea500 | SHA-256 Hash | Related to the lure document “Postup_zmeny_hesla_z_IMO.pdf” |
MITRE ATT&CK Techniques
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Phishing: Spear Phishing Attachment | T1566.001 | Involves the use of a malicious attachment to gain initial access |
| Execution | User Execution: Malicious File | T1204.002 | The malware relies on the user executing a malicious file, such as a LNK or batch script |
| Execution | Command and Scripting Interpreter: Visual Basic | T1059.005 | The use of scripting languages to execute commands in the environment |
| Persistence | Registry Run Keys / Startup Folder | T1547.001 | The attack persists by placing files in the startup folder |
| Defense Evasion | Impair Defenses: Disable or Modify Tools | T1562.001 | The malware disables or modifies security tools to evade detection |
| Defense Evasion | Indicator Blocking | T1562.006 | Techniques that prevent indicators of compromise from being observed or detected |
| Defense Evasion | Process Injection | T1055 | The malware injects code into legitimate processes to evade detection |
| Defense Evasion | Process Injection: Portable Executable Injection | T1055.002 | Injecting code into the address space of another process |
| Defense Evasion | De-obfuscate/Decode Files or Information | T1140 | The malware decodes or de-obfuscates files or information to reveal its payload |
| Defense Evasion | Obfuscated Files or Information: Dynamic API Resolution | T1027.007 | The malware obfuscates its code by resolving APIs dynamically at runtime |
| Discovery | System Owner/User Discovery | T1033 | The malware gathers information about the user and system to further its operation |
References
Subhajeet Singha
Comments ()