ESET researchers have discovered malware that has eluded the attention of anti-malware researchers since at least 2008. Detected by ESET as Win32/Prikormka, the malware is being used to carry out cyber-espionage activities in Ukraine, primarily targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
“Along with the armed conflict in the East of Ukraine, the country has been encountering numerous targeted cyberattacks, or so-called advanced persistent threats. For example, we discovered several campaigns using the now infamous BlackEnergy malware family, one of which resulted in a massive power outage. But in Operation Groundbait, previously unknown malware is used,” notes Robert Lipovský, ESET Senior Malware Researcher.
The infection vector used to spread the malware in Operation Groundbait was mostly via spear-phishing emails. “During our research, we have observed a large number of samples, each with its designated campaign ID and an appealing file name to spark the target’s interest,” explains Anton Cherepanov, Malware Researcher at ESET.
The whole operation has been named Groundbait, by ESET researchers, after one of its particular campaigns. While the majority of campaigns used themes related to the current Ukrainian geopolitical situation and the war in Donbass to lure the victims into opening the malicious attachment, the campaign in question displayed a pricelist of fishing Groundbait instead.
“It’s the choice of this decoy document that we have so far been unable to explain.” says Lipovský.
As is usual with targeted attacks, attributing the source is tricky as conclusive evidence is difficult to find. Our research into the attacks has shown that the attackers most likely operate from within Ukraine. Whoever they are, it is probably fair to assume that this cyber-surveillance operation is politically motivated. “Any further attempt at attribution would at this point be speculative. In addition to separatists, the targets of this campaign include Ukrainian government officials, politicians and journalists. The possibility of false flags must be considered too,” concludes Robert Lipovský.