Deliverycheck

Malware updated 7 months ago (2024-05-04T17:45:04.499Z)

Download STIX

Preview STIX

DeliveryCheck is a novel .NET-based malware that has been identified by Microsoft's Threat Intelligence as being used in targeted attacks against the defense sector in Ukraine and Eastern Europe. The threat actor behind these attacks is known as Secret Blizzard (also referred to as KRYPTON or UAC-0003). Distributed via email, DeliveryCheck typically arrives in documents containing malicious macros. Once activated, it can deliver a variety of secondary payloads, potentially causing significant harm to infected systems. On July 19, 2023, Microsoft Threat Intelligence reported that the same threat actor was also targeting Microsoft Exchange servers. They were installing server-side components of DeliveryCheck using PowerShell Desired State Configuration (DSC), a legitimate tool repurposed for malicious ends. DSC generates a Managed Object Format (MOF) file containing a PowerShell script that loads the embedded .NET payload into memory, effectively turning a legitimate server into a command-and-control center for the malware. The cybersecurity researchers at Microsoft Threat Intelligence and the Ukrainian government’s Computer Emergency Response Team (CERT-UA) have corroborated each other's findings. Both entities have issued warnings about the Russian Turla hacker group's use of this new malware, alternately referred to as Capibar or Gameday, in recent attacks on the defense industry and Microsoft Exchange servers. This underscores the need for heightened vigilance and robust cybersecurity measures, particularly within sectors of strategic importance.

Description last updated: 2023-09-18T23:11:35.222Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Capibar is a possible alias for Deliverycheck. Capibar, a new malware identified as part of the arsenal of the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, or Snake), has been used in recent cyberattacks. This group, linked to the Russian Federal Security Service (FSB) and active since at least 2004, has deployed Capib	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Backdoor

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Turla Threat Actor is associated with Deliverycheck. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (	Unspecified	2

Source Document References

Information about the Deliverycheck Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	BankInfoSecurity	a year ago	Russian Hackers Probe Ukrainian Defense Sector With Backdoor
	CERT-EU	a year ago	Hackers Turn Exchange Servers into Malware Command & Control Centers