SaintBear, Lorec53

Description

(NSFOCUS) In July 2021, several phishing documents created in Georgian were discovered by NSFOCUS Security Labs. In these phishing documents, the attackers used current political hotspots in Georgia to create bait and deliver a secret stealing Trojan to specifically targeted victims aiming to steal various documents from their computers. Correlation analysis shows that this phishing campaign and an earlier phishing attack against the Ukrainian government came from the same unknown threat entity, most likely composed of Russian hackers. From April to July of 2021, the group launched several phishing attacks applying a large number of network resources located in Russia. In order to facilitate ongoing tracking, NSFOCUS Security Labs has tentatively dubbed the hacker group Lorec53 by extracting special names from related Trojans.

Names

Name	Name-Giver
SaintBear	ThreatBook
Ember Bear	CrowdStrike
TA471	Proofpoint
UNC2589	FireEye
Lorec53	NSFOCUS
UAC-0056	CERT-UA
Nodaria	Symantec
FROZENVISTA	Google
Storm-0587	Microsoft
Nascent Ursa	Palo Alto

Country

• Russia

Motivation

• Information theft and espionage

First Seen

2021

Observed Sectors

• Energy
• Financial
• Government
• Media
• Transportation

Observed Countries

• Georgia
• Ukraine
• USA

Tools

• Cobalt Strike
• Graphiron
• GraphSteel
• GrimPlant
• OutSteel
• SaintBot

Operations

• 2022-02: Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/
• 2022-03: Ukraine’s CERT Warns Threat Actors For Fake AV Updates https://www.socinvestigation.com/ukraines-cert-warns-russian-threat-actors-for-fake-av-updates/
• 2022-03: Cobalt Strikes again: UAC-0056 continues to target Ukraine in its latest campaign https://blog.malwarebytes.com/threat-intelligence/2022/07/cobalt-strikes-again-uac-0056-continues-to-target-ukraine-in-its-latest-campaign/
• 2022-10: Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer

Information

• https://nsfocusglobal.com/apt-retrospection-lorec53-an-active-russian-hack-group-launched-phishing-attacks-against-georgian-government/
• https://www.crowdstrike.com/blog/who-is-ember-bear/
• https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf

Mitre Attack

• https://attack.mitre.org/groups/G1003/

Playbook

• https://pan-unit42.github.io/playbook_viewer/?pb=nascentursa

Other Information

Uuid

8f37f59a-226c-4059-9222-c5ad769f31ef

Last Card Change

2024-03-10