Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Ember Bear
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Ember Bear
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Ember Bear

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.(Citation: CrowdStrike Ember Bear Profile March 2022)(Citation: Mandiant UNC2589 March 2022)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
ID: G1003
Associated Groups: Saint Bear, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear, UNC2589
Version: 1.0
Created: 09 Jun 2022
Last Modified: 14 Oct 2022

Associated Group Descriptions
Name Description
Saint Bear (Citation: CrowdStrike Ember Bear Profile March 2022)
UAC-0056 (Citation: CrowdStrike Ember Bear Profile March 2022)
Lorec53 (Citation: CrowdStrike Ember Bear Profile March 2022)
Lorec Bear (Citation: CrowdStrike Ember Bear Profile March 2022)
Bleeding Bear (Citation: CrowdStrike Ember Bear Profile March 2022)
UNC2589 (Citation: Mandiant UNC2589 March 2022)

Techniques Used
Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Ember Bear has used PowerShell to download and execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.003 Command and Scripting Interpreter: Windows Command Shell

Ember Bear had used `cmd.exe` and Windows Script Host (wscript) to execute malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.007 Command and Scripting Interpreter: JavaScript

Ember Bear has used JavaScript to execute malicious code on a victim's machine.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1027 .001 Obfuscated Files or Information: Binary Padding

Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.002 Obfuscated Files or Information: Software Packing

Ember Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1588 .002 Obtain Capabilities: Tool

Ember Bear has obtained and used open source scripts from GitHub.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.003 Obtain Capabilities: Code Signing Certificates

Ember Bear has stolen legitimate certificates to sign malicious payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

.002 Phishing: Spearphishing Link

Ember Bear has sent spearphishing emails containing malicious links.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Enterprise T1553 .002 Subvert Trust Controls: Code Signing

Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1218 .002 System Binary Proxy Execution: Control Panel

Ember Bear has used control panel files (CPL), delivered via e-mail, for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Enterprise T1204 .001 User Execution: Malicious Link

Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
.002 User Execution: Malicious File

Ember Bear has attempted to lure victims into executing malicious files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Software
ID Name References Techniques
S0689 WhisperGate (Citation: CrowdStrike Ember Bear Profile March 2022) (Citation: Cybereason WhisperGate February 2022) (Citation: Mandiant UNC2589 March 2022) (Citation: Microsoft WhisperGate January 2022) (Citation: Unit 42 WhisperGate January 2022) Bootkit, Data Destruction, File and Directory Discovery, PowerShell, Disable or Modify Tools, InstallUtil, Obfuscated Files or Information, Native API, Web Protocols, File Deletion, Disk Structure Wipe, Disk Content Wipe, System Checks, Security Software Discovery, Network Share Discovery, Service Execution, System Shutdown/Reboot, Process Hollowing, Windows Command Shell, Visual Basic, Create Process with Token, Web Service, System Information Discovery, Time Based Evasion, Deobfuscate/Decode Files or Information, Masquerading, Ingress Tool Transfer
S1018 Saint Bot (Citation: Malwarebytes Saint Bot April 2021) (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Regsvr32, Dynamic-link Library Injection, System Network Configuration Discovery, Bypass User Account Control, Obfuscated Files or Information, Masquerading, Ingress Tool Transfer, Web Protocols, System Information Discovery, Windows Command Shell, Time Based Evasion, Query Registry, Scheduled Task, Native API, Malicious File, Asynchronous Procedure Call, Spearphishing Link, Software Packing, Visual Basic, System Checks, PowerShell, Debugger Evasion, System Location Discovery, Registry Run Keys / Startup Folder, Deobfuscate/Decode Files or Information, Process Hollowing, Process Discovery, Spearphishing Attachment, Match Legitimate Name or Location, File and Directory Discovery, System Owner/User Discovery, InstallUtil, Malicious Link, Standard Encoding, File Deletion, Data from Local System
S1017 OutSteel (Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) Windows Command Shell, Exfiltration Over C2 Channel, Spearphishing Link, Malicious Link, Data from Local System, Automated Exfiltration, File and Directory Discovery, Automated Collection, Malicious File, Spearphishing Attachment, File Deletion, Web Protocols, Ingress Tool Transfer, Process Discovery

References

  1. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  2. CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022.
  3. Sadowski, J; Hall, R. (2022, March 4). Responses to Russia's Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.