Ember Bear
Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.[1][2][3]
Associated Group Descriptions
| Name | Description |
|---|---|
| Saint Bear | |
| UNC2589 | |
| UAC-0056 | |
| Lorec53 | |
| Lorec Bear | |
| Bleeding Bear |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Ember Bear has used PowerShell to download and execute malicious code.[3] |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Ember Bear had used |
||
| .007 | Command and Scripting Interpreter: JavaScript |
Ember Bear has used JavaScript to execute malicious code on a victim's machine.[3] |
||
| Enterprise | T1203 | Exploitation for Client Execution |
Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882.[3] |
|
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.[3] |
| Enterprise | T1105 | Ingress Tool Transfer |
Ember Bear has used tools to download malicious code.[3] |
|
| Enterprise | T1112 | Modify Registry |
Ember Bear has used an open source batch script to modify Windows Defender registry keys.[3] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Ember Bear has obfuscated malware to help avoid detection.[3] |
|
| .001 | Binary Padding |
Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.[3] |
||
| .002 | Software Packing |
Ember Bear has packed malware to help avoid detection.[3] |
||
| .010 | Command Obfuscation |
Ember Bear has obfuscated malicious scripts to help avoid detection.[3] |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Ember Bear has obtained and used open source scripts from GitHub.[3] |
| .003 | Obtain Capabilities: Code Signing Certificates |
Ember Bear has stolen legitimate certificates to sign malicious payloads.[3] |
||
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.[3] |
| .002 | Phishing: Spearphishing Link |
Ember Bear has sent spearphishing emails containing malicious links.[3] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.[3] |
| Enterprise | T1218 | .002 | System Binary Proxy Execution: Control Panel |
Ember Bear has used control panel files (CPL), delivered via e-mail, for execution.[3] |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.[3] |
| .002 | User Execution: Malicious File |
Ember Bear has attempted to lure victims into executing malicious files.[3] |
||
| Enterprise | T1102 | Web Service |
Ember Bear has used Discord's content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.[3] |
|