Deliverycheck

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-0003). Distributed via email, DeliveryCheck typically arrives in documents containing malicious macros. Once activated, it can deliver a variety of secondary payloads, potentially causing significant harm to infected systems. On July 19, 2023, Microsoft Threat Intelligence reported that the same threat actor was also targeting Microsoft Exchange servers. They were installing server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC), a legitimate tool repurposed for malicious ends. DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a command-and-control center for the malware. The cybersecurity researchers at Microsoft Threat Intelligence and the Ukrainian government’s Computer Emergency Response Team (CERT-UA) have corroborated each other's findings. Both entities have issued warnings about the Russian Turla hacker group's use of this new malware, alternately referred to as Capibar or Gameday, in recent attacks on the defense industry and Microsoft Exchange servers. This underscores the need for heightened vigilance and robust cybersecurity measures, particularly within sectors of strategic importance.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Capibar
2
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
Secret Blizzard
1
Secret Blizzard, also known as Turla, KRYPTON, and UAC-0003, is a threat actor group linked to Russia's Federal Security Service (FSB). This Advanced Persistent Threat (APT) group has been active since the early 2000s, primarily targeting government organizations worldwide. The group's activities we
Gameday
1
"Gameday" is a potent malware, a malicious software designed to infiltrate and damage computer systems. It can enter the system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Microsoft
Backdoor
Payload
Espionage
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a sophisticated threat actor linked to Russia that has been active for many years. The group is known for its advanced cyber-espionage capabilities and has been associated with numerous high-profile breaches. According to the MITRE ATT&CK and MITRE Ingenuity dat
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Deliverycheck Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
BankInfoSecurity
a year ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor
CERT-EU
a year ago
Hackers Turn Exchange Servers into Malware Command & Control Centers