Actor behind Operation LagTime targets Russia

Sebdraven
2 min readNov 25, 2020

the file f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5 uses the version 7 of royal road document.

This file drops in memory a new backdoor rewriting the process EQNEDT32.EXE.

This document refers to the ceasefire between Armenia and Azerbaijan and seems to be send by the Mongolian authorities.

Analysis of the backdoor in memory

This backdoor is a state machine launching different threads. (function 00401640)

The backdoor checks the disk of the computer, the processes launched, the version of windows, the privileges of the user.

The malware tries many connections to the c2 in different functions:

The domain of the c2 is in clear text in the malware

This backdoor is very simple to analyze. There are no packing and no obfuscation code.

Attribution

For Intezer, the similarity is high with the file 4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34be

This malware was used in operation lagtime. https://otx.alienvault.com/indicator/file/4c22eb33aa1d10511eaf8d13098e2687e44eaebc5af8112473e28acedac34bea

The IP of the C2 is 95.179.131.29 in operation LagTime.

So the campaign against russia is driven by the same threat actor of Operation LagTime IT

The configuration of the backdoor’s C2, 103.106.250.239 which is hosted in Malaysia, has changed in July 2020. This date seems to be the beginning of the operation.

IOCs

Rtf file

f5a78a155a219582db8959c3a96a1d91ed891801663b1cce0c599779773bc3f5
2d678cba2795d0339331125692e9a850a043a22f
ae1b4a5775aca501954076b8024b04ec

Network

custom.songuulcomiss.com
103.106.250.239

Backdoor:

46a9ca7d5364fbe5fd3d6ffb0f8d86e9a9e566708657e59ef8873d3ed536348d

--

--

Sebdraven

Malwarist,Threat Huntist and pythonist / core dev of #yeti/ member of @ProjectHoneynet / co-organizer #BotConf / researcher