2022-03-18

Ukraine Targeted with Fraudulent Translation Software

Level: 
Tactical
  |  Source: 
SentinelOne
Share:

March 16th, 2022: Ukraine Targeted with Fraudulent Translation Software

Industry: N/A | Level: Tactical | Source: SentinelOne

SentinelOne identified threat actor group, SaintBear (aka UAC-0056, UNC2589, TA471) distributing fraudulent translation software to users in Ukraine to infect them with malware GrimPlant and GraphSteel. The fraudulent translation software is complied in python and has been identified as early as February 2022 in threat campaigns. When dropped on the victim's host, the malware downloads additional .exe payloads, runs reconnaissance commands, establishes persistence and collects credentials.

  • Anvilogic Scenario: SaintBear - Fraudulent Software - Infection Flow
  • Anvilogic Use Cases:
  • Executable File Written to Disk
  • Common Reconnaissance Commands
  • Query Registry
  • New AutoRun Registry Key
  • Windows Credentials Editor

Get trending threats published weekly by the Anvilogic team.

Sign Up Now