Campaigns
Graphiron Threat From Nodaria(UAC-0056) To Ukraine

Graphiron Threat From Nodaria(UAC-0056) To Ukraine

GraphironNodariaUAC-0056SaintBearEmber Bear
The Russia-linked Nodaria group has installed a new threat, using a wide variety of information from infected computers to play.The Nodaria espionage group (aka UAC-0056) is using a new combination of information stealing malware against browsing in Ukraine. The malware (Infostealer.Graphiron) was designed to gather a wide variety of information written in Go from the infected computer, including system information, credentials, screen content, and files.

Indicators of Compromise

confirmation-request.info
xbeta.online
emailreques-secure.info
chasereques-secure09.info
secure-transmmisions.info
transfer-currently.info
eumr.site
shell.run
nirsoft.me
secure09-authrequest.info
permission-online.info
blue-escorts.com
forkscenter.fr
helponline-auth.info

APT Groups1

SaintBearRussian Federation
UNC2589TA471Nascent UrsaNodariaEmber BearSaintBearFROZENVISTAUAC-0056Storm-0587Lorec53

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

Remediations

  • Deploy appropriate hardware that can handle known attack types and use the options that are in the hardware that would protect network resources. Again, while bolstering resources will not prevent a DDoS attack from happening, doing so will lessen the impact of an attack.
  • Opt for DDoS prevention providers who can implement cloud scrubbing services for attack traffic to remove most of the problematic traffic before it ever hits a victim’s network.
  • Keep your website’s content management systems (CMS) up to date.
  • Use the latest available version of any active plugins.
  • Restrict access to the website management pages.

Reports & References2

Observed Countries4

GE (719)
KG (473)
RU (378)
UA (717)