Operation Domino, Operation Kremlin

Description

(Clearsky) ClearSky researchers identified a malicious “.docx” file that was uploaded to VirusTotal from Russia in mid-December. The file contains an obfuscated URL to a remote template which contains malicious VBA, eventually leading to the execution of VBS on the infected machine. The attack’s purpose is to stealthily exfiltrate information without running any external executables on the system.

Notably, the process is escalated on a certain day of the week, suggesting a possible familiarity with the intended victim or victims.

We estimate with medium confidence that the same threat actor responsible for the attacks described in this paper also conducted an attack named “Operation Domino” that occurred earlier in 2020.

We decided to name the operation “Kremlin” due to the use of a parameter named “kreml” in the “poslai” (meaning send in Russian) function that exfiltrates the data.

Names

Name	Name-Giver
Operation Domino	Hunting Shadow Lab
Operation Kremlin	ClearSky

Country

Russia

Motivation

Information theft and espionage

First Seen

2019

Observed Countries

Belarus

Operations

2020-09: Operation “Domino” https://ti.dbappsecurity.com.cn/blog/index.php/2020/09/18/operation-domino/
2020-12: Operation “Kremlin” https://www.clearskysec.com/operation-kremlin/

Information

https://www.clearskysec.com/operation-kremlin/

Other Information

Uuid

99a751ba-5585-44b1-b9d3-993fc2ddc8fc

Last Card Change

2024-12-29

Threat Intelligence Garden

Explorer

Operation Domino, Operation Kremlin

Operation Domino, Operation Kremlin

Description

Names

Country

Motivation

First Seen

Observed Countries

Operations

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks