Exposing Russian EFF Impersonators: The Inside Story on Stealc and Pyramid C2(hunt.io)

115 pointsby hn_acker4 months ago7 comments

caffeinewriter4 months ago
Huh. The researchers seemed to gloss over the Cloudflare Pages URL, but it's actually pretty interesting. I haven't had a chance to look at it in depth yet, but it appears to use the search-ms: URL protocol to show an attacker controlled WebDAV server to serve the malware.
The server hosting the malicious files seems to be down now, but this post details a similar attack:
https://micahbabinski.medium.com/search-ms-webdav-and-chill-...
It also seems to be part of a phishing kit, or potentially generated with AI due to the presence of the following comment.
```
    // Замени на свой URL
```
Which in English is:
```
    // Replace with your URL
```
And various other descriptive comments like
```
    // Полностью очищаем страницу (Completely clear the page)
    // Создаём новый контейнер с индикатором загрузки (Creating a new container with a loading indicator)
    // Через 3 секунды скрываем Cloudflare и запускаем загрузку (In 3 seconds, we hide Cloudflare and start the download.) [Though this was next to a 900ms timeout, so there's definitely been some tweaking]
```
They're the kind of comments that don't really make sense if the author is writing them themselves, but would if they're using something off the shelf, or asking some LLM to output code. The descriptive comments of what the code's doing definitely makes me lean towards the latter.
- inetknght4 months ago
  > The descriptive comments of what the code's doing definitely makes me lean towards the latter.
  Sadly, it's that exact kind of descriptive comments that are the kinds of comments that I expect to see in well-documented code. The kind of comments that I would expect from a seasoned engineer.
- throw-the-towel4 months ago
  IDK, I think these comments look exactly like the comments in most real-world code.
nazgulsenpai4 months ago
Posted as a separate submission before reading this one, but the EFFs blog post about it: https://www.eff.org/deeplinks/2025/03/simple-phish-bait-eff-...
d0mine4 months ago
> Code comments found within and PowerShell scripts suggest the work of a Russian-speaking developer.
- Y_Y4 months ago
  I have a git hook to translate all comments into Russian before I push to the victim's machine
m0004 months ago
Isn't that title kind of clickbaity? TFA only mentions of a "russian-speaking developer". This is largely irrelevant to the malware analysis and no further links are established to some Russian actor.
I.e there is no exposé of anyone, but putting "Exposing Russians" in the title gives clicks.
sneak4 months ago
Not everyone who speaks the Russian language is a Russian.
- _DeadFred_4 months ago
  Maybe you should inform Russia that. They sure seem to think eastern Ukraine is theirs because of russian language speakers.
  - erikerikson4 months ago
    Ukrainians see their language[0] as district from Russian. Not to deny that the Russians have claimed that Russian speakers are domiciled in Ukraine.
    [0] https://en.m.wikipedia.org/wiki/Ukrainian_language
    lukaslalinsky4 months ago
    The two most recent Russian invasions actually caused the gain in popularity of the Ukrainian language. Before that, many people considered themselves Ukrainian and spoke only Russian. That's changing since the invasions started.
    erikerikson4 months ago
    I'm no expert but the article I linked above says:
    > It is the first (native) language of a large majority of Ukrainians.
    rat874 months ago
    It's pretty complicated especially since it's been changing significantly since 2022 and even 2014 but most Ukranians understand and speak russian and a large minority have or had it as a primary language. People also spoke both. It's not a straight west to east thing. Many of the cities especially not not only in the south and east were primarily russian speaking while the West and less urban areas were mostly Ukranian. Not to mention Surzhyk (mixed Ukrainan/Russian speech) or other smaller languages spoken in Ukraine.
    One good example is President Zelenskyy and Kvartal 95 (the comedy troupe/media company he and his friends formed) most of their shows and skits until recently were in russian. Their use of russian was not just because for export to russia or other russian speakers outside of Ukraine/Russia, it was not rare to make media aimed at a primarily Ukranian audience in russian. An Example Zelenskyy making fun of Putins claim that Kyiv is the mother of Russian cities(in russian) https://youtube.com/watch?v=tnaM-dXxpo8&list=PLfso1c1v9W3MAa...
    dragonwriter4 months ago
    > Their use of Russian was not just because for export to russia or other russian speakers outside of Ukraine/Russia, it was not rare to make media aimed at a primarily Ukranian audience in Russian.
    I don't know about the other members of the troupe or the degree to which this is a factor, but Zelenskyy is himself a native Russian speaker.
    rat874 months ago
    I'm sure it did but Zelenskyy and his shows weren't that unusual. russian was widely understood and spoken as a secondary language as well as being spoken by a significant number of Ukrainians as a primary language. It was not unusual to hear russian in Ukrainian media or see it in social media posts from Ukraine. Over the last decade and especially the last 3 years its changed a lot, the russian invasion has convinced a lot of Ukrainians including those with russian ancestors or who were born in russia to switch to Ukrainian.
    _DeadFred_4 months ago
    I have an ex-girlfriend from eastern Ukraine. Prior to the war she spoke mainly russian, her parents spoke mainly russian, her friends spoke mainly russian. They all went to Moscow University. Of course now they are trying to switch to Ukrainian but it is not their first language.
  - dragonwriter4 months ago
    This is also why the North America belongs to, depending on exactly where you are, largely England and/or Spain.
4 months ago
undefined
rickandmortyy4 months ago
since the kennedy stuff nothing has been as shocking