UNC5812: Russian Group “Civil Defense” Malware Campaign

Russian Hybrid Espionage and Influence Campaign Seek to Deliver Anti-Mobilization Narratives and Compromised Ukrainian Military Recruits

In September 2024, the Google Threat Intelligence Group which is made up of Mandiant and Google’s Threat Analysis Group (TAG) discovered UNC5812, a suspected Russian hybrid espionage and influence campaign that used the Telegram persona “Civil Defense” to distribute malware for Windows and Android. According to their claims, “Civil Defense” offers free software applications that let prospective conscripts see and share crowdsourced locations of Ukrainian military recruiters.

These apps provide the victim with a decoy mapping application it track as SUNSPINNER combined with an OS system-specific commodity malware version if they are installed with Google Play Protect turned off. UNC5812 is actively involved in influence activity, disseminating narratives, and requesting content aimed at undermining support for Ukraine’s mobilization efforts, in addition to using its website and Telegram channel to distribute malware.

Targeting Telegram Users

Both the website civildefense[.]com.ua and the actor-controlled Telegram channel @civildefense_com_ua are used by UNC5812 to distribute malware. In April 2024, the related website was registered; however, the Telegram channel was not established until early September 2024, which it believes marks the full operationalization of UNC5812’s campaign. It estimates that UNC5812 is probably buying promoted posts in reputable, well-established Ukrainian-language Telegram channels to direct potential victims to these actor-controlled sites.

• A reputable missile alerts Telegram channel with over 80,000 followers was seen advertising the “Civil Defense” website and channel to its members on September 18, 2024.
• As recently as October 8th, another Ukrainian-language news outlet promoted Civil Defense’s articles, suggesting the campaign is likely still actively looking for new Ukrainian-language groups for focused interaction.
• Channels that have pushed “Civil Defense” posts highlight the opportunity to contact their administrations about sponsorship opportunities. It believes that to expand the operation’s scope, UNC5812 is most likely approaching the appropriate legal channels through this vector.

The campaign’s ultimate goal is to direct victims to the “Civil Defense” website, which is under UNC5812’s control and promotes a number of software applications for various operating systems. These apps download different commodity malware families when they are installed.

• The website provides a PHP downloader for Windows users called Pronsis Loader, which is publicly recorded and compiled into Java Virtual Machine (JVM) bytecode using the open source JPHP project. When Prosnis Loader is run, it starts a complicated malware delivery chain that eventually delivers SUNSPINNER and PURESTEALER, a commodity information stealer.
• The malicious APK file aims to install a version of the commercially available Android backdoor CRAXSRAT on Android users. This payload was seen in a variety of forms, including one that had SUNSPINNER in addition to the CRAXSRAT payload.
• Although support for macOS and iPhones is also advertised on the Civil Defense website, at the time of study, only Windows and Android payloads were accessible.

Notably, the Civil Defense website also uses an unusual kind of social engineering to allay user concerns about APK delivery outside of the App Store and provide justification for the high level of permissions needed to install CRAXSRAT.

• In an attempt to “protect the anonymity and security” of its users, the website’s FAQ offers a strained defense for the Android application‘s hosting outside of the App Store, pointing users to a set of video instructions that go along with it.
• After the malware is successfully installed, the Ukrainian-language video instructions show victims how to manually allow all permissions and disable Google Play Protect, a program that checks apps for malicious functionality when they are installed on Android devices.

Operation of Anti-Mobilization Influence

UNC5812 is participating in influence operations to thwart Ukraine’s broader mobilization and military recruitment initiatives in addition to its attempts to spread malware and obtain access to the devices of possible military recruits. Videos of “unfair actions from territorial recruitment centers,” which it believes likely to be meant for follow-on exposure to support UNC5812’s anti-mobilization narratives and disparage the Ukrainian military, are actively sought out on the group’s Telegram channel by users and subscribers. An attacker-controlled https://t[.]me/UAcivildefenseUA account is used to establish a chat thread when the “Send Material” (Ukrainian: Нaдіслати матеріал) button is clicked.

• Additionally, there are anti-mobilization images and content in Ukrainian on the Civil Defense website, including a news section highlighting alleged instances of unfair mobilization tactics.
• Cross-posted anti-mobilization propaganda on the group’s Telegram channel and website seems to come from larger pro-Russian social media networks. In at least one case, the Russian Embassy posted a video on South Africa’s X account a day after UNC5812 shared it.

Malware Analysis

From the group’s website, civildefense[.]com[.]ua, UNC5812 runs two distinct malware delivery chains for Android and Windows devices. The parallel release of a decoy mapping program known as SUNSPINNER, which shows users a map that represents the alleged locations of Ukrainian military recruits from an actor-controlled command-and-control (C2) server, is a commonality among these several delivery chains.

SUNSPINNER

The fake graphical user interface (GUI) program SUNSPINNER (MD5: 4ca65a7efe2e4502e2031548ae588cb8) was created with the Flutter framework and compiled for both the Windows and Android operating systems. The application’s GUI renders the map markers that SUNSPINNER requests fromhttp://h315225216.nichost[.]ru/itmo2020/Student/map_markers/mainurl.json, followed by a request for map markers from https://fu-laravel.onrender[.]com/api/markers that are then rendered on the app’s GUI.

According to the features listed on the Civil Defense website, SUNSPINNER can show crowdsourced markers that include the locations of Ukrainian military recruiters, and users can even add their own markers. Nevertheless, the presented map does not seem to contain any authentic user inputs, even though it has the minimal functionality needed for people to register and add markers. The same user added every marker found in the JSON file extracted from SUNSPINNER’s C2 infrastructure on the same day.

Pronsis Loader to PURESTEALER in Windows

CivilDefense.exe (MD5: 7ef871a86d076dac67c2036d1bb24c39), the Windows payload obtained from the Civil Defense website, is a customized version of Pronsis Loader, a newly identified commodity malware that is largely being used by threat actors with financial motivations.

The second-stage downloader “civildefensestarter.exe” (MD5: d36d303d2954cb4309d34c613747ce58) and the decoy SUNSPINNER binary are both retrieved by Pronsis Loader. This starts a multi-stage delivery chain that uses a series of self-extracting archives and finally runs PURESTEALER on the victim device. The open-source JPHP project is used to compile the PHP-written second-stage downloader into Java Virtual Machine (JVM) bytecode, which is subsequently created as a Windows executable file. The CivilDefense installer runs this file automatically.

PURESTEALER is the last payload (MD5: b3cf993d918c2c61c7138b4b8a98b6bf), a highly disguised commodity infostealer built in.NET, is intended to steal cryptocurrency wallets, chat apps, email clients, and browser data like passwords and cookies. “Pure Coder Team” is the company that sells PURESTEALER. Monthly subscriptions cost $150, while lifetime licenses cost $699.

CraxsRAT Android

A variation of the commercially available Android backdoor CRAXSRAT is the Android Package (APK) file “CivilDefensse.apk” (MD5: 31cdae71f21e1fad7581b5f305a9d185) that was downloaded from the Civil Defense website. File management, SMS management, contact and credential harvesting, and a number of location, audio, and keystroke monitoring features are all features that CRAXSRAT offers that are common to a conventional Android backdoor. It is also sold on underground forums, just like PURESTEALER.

At the time of investigation, the Android sample that was being circulated merely showed a splash screen with the “Civil Defense” logo. Nevertheless, it was discovered that the identical SUNSPINNER decoy application was present in another identified sample (MD5: aab597cdc5bc02f6c9d0d36ddeb7e624) as it was in the Windows delivery chain. This version downloads the CRAXSRAT payload from http://h315225216.nichost[.]ru/itmo2020/Student/map_markers/CivilDefense.apk after requesting the user’s Android REQUEST_INSTALL_PACKAGES permission.

Safeguarding Users

Google also keeps an eye out for Android spyware, and it implements and maintains Google Play Protect’s safeguards both inside and outside of Google Play, scanning devices for potentially dangerous apps from any source. Notably, the Civil Defense website of UNC5812 had social engineering content and comprehensive video instructions that directly instructed the intended user to disable Google Play Protect and manually activate the Android permissions needed for CRAXSRAT to operate. By alerting users before they access risky websites, Safe Browsing also protects Chrome users on Android. Google Play is protected by app scanning infrastructure, which also enables Verify Apps to further secure consumers who install apps from sources other than Google Play.

The national authorities of Ukraine have also been informed of its discoveries, and they have taken steps to limit the campaign’s reach by preventing the actor-controlled “Civil Defense” website from being resolved nationwide.

In brief

Following modifications to Ukraine’s national mobilization rules in 2024, Russian threat actors have increased their operational involvement in Ukraine, as seen by UNC5812’s hybrid espionage and information operation targeting prospective Ukrainian military recruits. The introduction of Ukraine’s national digital military ID, which is designed to handle the information of people due for military duty and increase recruitment, has specifically led to an increase in the targeting of prospective military recruits. It also continues to see consistent efforts by pro-Russian influence actors to spread messaging that undermines Ukraine’s mobilization drive and sows popular mistrust in the officials conducting it, in line with studies from EUvsDisinfo.

From a tradecraft standpoint, UNC5812‘s campaign exemplifies Russia’s focus on using its cyber capabilities to achieve cognitive effect and emphasizes the significant role messaging apps continue to play in the spread of malware and other cyber aspects of Russia’s war in Ukraine. It concludes that Telegram will very certainly continue to be a major conduit for cyber-enabled activity for a variety of Russian-affiliated espionage and influence operations as long as it remains a vital information source during the conflict.