A mysterious group of hackers carried out a series of cyber attacks against Croatian government agencies, infecting employees with a new piece of malware tracked as SilentTrinity. The SilentTrinity malware can take control over an infected computer, it allows attackers to execute arbitrary commands.
Between February and April, allegedly state-sponsored hackers have launched a spear-phishing campaign against
The attack was discovered by researchers at Positive Technologies while hunting for new and cyber threats, the attackers used excel weaponized documents.
The phishing messages posed as delivery notifications from the Croatian postal or other retail services, they included a Microsoft Excel saved in the old .xls format and compiled the previous day.
The document included a malicious macro that borrows code from various projects hosted on StackOverflow.com, Dummies.com, Issuu.com, Rastamouse.me, or GitHub.com.
Once the victim has enabled the macro, the malicious code will download and execute the malware on the victim’s machine. Experts observed attackers using the Empire backdoor and the SilentTrinity malware.
Searching online for SILENTTRINITY the experts found a reference in the PE file debugging information, the code comes for the IronPython project uploaded on GitHub in October 2018 by Marcello Salvati. The experts aimed at combining flexibility with the advantages of a well-known post-exploitation PowerShell framework by writing it in Python.
“we will describe the basic mechanism and a few highlights of the implementation.” reads the analysis published by Positive Technologies.
“Here is what happens after the PE file is run (although the intermediate link does not necessarily have to be a PE file):
IronPython also supports the Boo language and allows to implement a
The attack against Croatia was also spotted by experts at
“The Office of Information Security (SIS) has, in its several jurisdictions, observed the most recent
“The page contains the content downloaded from the official Croatian web pages, and immediately after visiting the site, the user is offered the download of the notification_o_posiljki.xls file.
So far, two versions of the file are known.
The Croatian Post has already taken steps to remove take down the malicious web sites and servers involved in the attacks.
The experts attempted to attribute the attacks to other malicious campaigns, the most important evidence collected they observed is that reuse of a C2 server involved in the attacks exploiting a WinRAR vulnerability to infect government targets in Ukraine.
Researchers at FireEye observed four hacking campaigns, including ones that delivered new pieces of malware. FireEye did not attribute the attack to specific APT, but the choice of targets and TTPs are aligned with Russian state-sponsored campaigns.
Further technical details, including IoCs are reported in the analysis shared by the experts.