Deliverycheck

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-0003). Distributed via email, DeliveryCheck typically arrives in documents containing malicious macros. Once activated, it can deliver a variety of secondary payloads, potentially causing significant harm to infected systems. On July 19, 2023, Microsoft Threat Intelligence reported that the same threat actor was also targeting Microsoft Exchange servers. They were installing server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC), a legitimate tool repurposed for malicious ends. DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a command-and-control center for the malware. The cybersecurity researchers at Microsoft Threat Intelligence and the Ukrainian government’s Computer Emergency Response Team (CERT-UA) have corroborated each other's findings. Both entities have issued warnings about the Russian Turla hacker group's use of this new malware, alternately referred to as Capibar or Gameday, in recent attacks on the defense industry and Microsoft Exchange servers. This underscores the need for heightened vigilance and robust cybersecurity measures, particularly within sectors of strategic importance.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Capibar
2
Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Microsoft
Backdoor
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TurlaUnspecified
2
Turla, also known as Pensive Ursa, is a threat actor believed to be a unit of Russia's Federal Security Service according to the FBI. This cyberespionage group is notorious for its sophisticated attacks and use of malicious software, such as Snake or Ouroboros, which allows them backdoor access to c
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Deliverycheck Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Hackers Turn Exchange Servers into Malware Command & Control Centers
BankInfoSecurity
10 months ago
Russian Hackers Probe Ukrainian Defense Sector With Backdoor