Deliverycheck

Malware updated 4 months ago (2024-05-04T17:45:04.499Z)

Download STIX

Preview STIX

DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-0003). Distributed via email, DeliveryCheck typically arrives in documents containing malicious macros. Once activated, it can deliver a variety of secondary payloads, potentially causing significant harm to infected systems. On July 19, 2023, Microsoft Threat Intelligence reported that the same threat actor was also targeting Microsoft Exchange servers. They were installing server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC), a legitimate tool repurposed for malicious ends. DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a command-and-control center for the malware. The cybersecurity researchers at Microsoft Threat Intelligence and the Ukrainian government’s Computer Emergency Response Team (CERT-UA) have corroborated each other's findings. Both entities have issued warnings about the Russian Turla hacker group's use of this new malware, alternately referred to as Capibar or Gameday, in recent attacks on the defense industry and Microsoft Exchange servers. This underscores the need for heightened vigilance and robust cybersecurity measures, particularly within sectors of strategic importance.

Description last updated: 2023-09-18T23:11:35.222Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Capibar	2	Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Backdoor

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Turla	Unspecified	2	Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT

Source Document References

Information about the Deliverycheck Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
	CERT-EU	a year ago	Hackers Turn Exchange Servers into Malware Command & Control Centers