Professional Documents
Culture Documents
Threat Actor of In-Tur-Est - Unveiling Balkan Targeting, Jack Simpson, Louise Taggart PDF
Threat Actor of In-Tur-Est - Unveiling Balkan Targeting, Jack Simpson, Louise Taggart PDF
in-Tur-est:
Unveiling Balkan targeting
January 2022
Introduction
Been in the team for 4 years focusing on Been in the team for 6.5 years focusing on
the EURO region (technical) the EURO region (strategic)
@linkcabin @loutagtech
hxxps[:]//vladars[.]co/download.php?act
=dl&id=5611
vladars[.]co
The malicious HTA file HTA window background The two domains
attempts to download code colour set to #3961a2, vladars[.]co and
94.156.189[.]122
from dropbox- which was used to pivot dropbox-online[.]pro
online[.]pro to additional samples are linked via IP
resolutions
dropbox-
online[.]pro
Stage 1 PowerShell
• JScript (Not JavaScript!) is one of the interpreted languages used in Windows Script Host (wscript.exe)
• XSL scripts most popular choice by White Tur to execute JScript payload from weaponised document
Initial check in
Example command
C:\Windows\System32\cmd.exe/C
whoami >
C:\Users\<user>\AppData\Local\Temp\
{6279BFE5-918F-
4821-9CA8-3DAD11ADCF5B}
PwC - Threat actor of in-Tur-est : Unveiling Balkan targeting Command results call back TLP: WHITE
OpenHardware Monitor backdoor
• Threat actor used pre-build events in Visual Studio to execute a backdoor.
• The technique was previously used by ZINC/Lazarus (which we track as Black Artemis), an unrelated threat
actor, at the start of 2021 reported by Microsoft.
Submission RS US, JP
country of
origin
Number of 1 4
files
Serbia:
Serbia is the largest regional
military spender
Serbian defence industry is
dominated by state-owned
enterprises
Republika Srpska:
Dayton Peace Agreement led
to significant reforms for
Republika Srpska (RS)
Single state-level central
command
Member of NATO’s
Partnership for Peace
programme
EU is key trading partner for
Serbia
Bosnia’s EU progress is
hampered by complex
constitutional structure
Question time!
6eddc8757fc921dfd7a627b4c5d638c3eb18b83964fa85dc7aa3187b155bda73
vladars[.]co
Archive containing HTA script: dropbox-online[.]pro
94.156.189[.]122
4eee7e165c6f4725781be0f249048a43a78ac039f576dd6b30498c15fb144567
Weaponized CV sample: microsoft[.]update-store[.]com
185.203.118[.]2
d69561ad67f7387e6460a81111878b7bc727cbe6100b952ba5eed38694952e4b
XSL script with JScript backdoor: 149.255.35[.]96
adobe-documents[.]com
Domains: URLS:
qov[.]rs hxxp[:]//149.255.35[.]96/snow.xml
sajam[.]us hxxp[:]//safe-redirect[.]pw/load_js.php?id=664548
mtel[.]ac hxxp[:]//193.37.212[.]54/load_js.php?id=212209074875
vladars[.]co 547
dropbox-online[.]pro hxxp[:]//buisnessinfobilling[.]com
onedrive-login[.]net
onedrive-login[.]us
pwc.com
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining
specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law,
PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in
reliance on the information contained in this publication or for any decision based on it.
© 2022 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context
requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients.
PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for
the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.