Cybersecurity Threats from Ukraine & Russia Increasing

We analyzed malware activity from IP addresses in Ukraine and Russia since February and found the biggest spikes related to malware that helps botnets to spread. Resurgent malware included trojans that previously played a key role in propagating notorious botnets long since dismantled by major international law enforcement operations.
Rising Risk of Botnets As Malware Increases in Ukraine & Russia
Simon Migliano

Additional research by Agata Michalak, data analyst at Top10VPN.com

  • Trojan malware with bigger increases in activity from Ukraine and Russia IP addresses than from the rest of the world since February 2022 included:
    • Citadel Trojan: activity from Ukraine IPs up 3,440% in July, amost double the global trend.
    • CoreBOT Trojan: activity from Ukraine IPs increased 126% in July, a 70% bigger rise than from the rest of the world.
    • Wauchos Trojan: activity from Russian IPs increased 27% in July, at a time when it was decreasing slightly worldwide.
    • Nivdort Trojan: activity from Ukraine IPs jumped 325% in September, almost 10 times the global increase.
  • Avalanche malware families using Russian and Ukraine IP addresses on the rise despite shutdown of Avalanche crime syndicate, with individual daily surges of as much as 1,500% compared to before February:
    • Avalanche-Matsnu malware downloader: activity from Ukraine IPs was up by 50% or more in April, June and October. Activity from Russian IPs more than doubled in September.
    • Avalance-Ranbyus banking trojan activity from Ukraine IPs doubled in May and rose by 40% from Russian IPs in September.
    • Avalanche-Nymaim malware downloader: activity from Ukraine IPs surged by 82% in April.
  • Biggest surge in cyber attacks: Distributed-denial-of-service (DDOS) attacks originating from Ukraine increased 363% in March on average compared the average prior to February.

Botnet Malware On The Rise

Before a single Russian boot had even set foot on Ukraine soil, the imminent invasion was preempted by Russian cyber attacks on military, financial and government targets in Ukraine on February 15-16.[1]

These distributed denial-of-service (DDOS) attacks became relentless once Russia’s military invaded Ukraine on February 24, as the Kremlin sought to weaken its enemy by knocking offline critical networked infrastructure.

These waves of Russian DDOS attacks however are only one facet of how the cyber threat landscape in both Ukraine and Russia has changed since then.

Our analysis of data collected from sinkholes and honeypots operated by The Shadowserver Foundation, an internet security NGO, shows there have been major surges in activity from a number of notorious malware families from IP addresses in Ukraine and Russia compared to the period prior to 24th February 2022 that run counter to trends in the rest of the world.

Of particular concern is increased activity from Ukraine IP addresses by several strains of malware that enable the spread of botnets.

We also discovered that despite the dismantling of major botnets Avalanche and Andromeda/Gamarue several years ago, some of the key malware families that were hosted on the now-defunct networks have been particularly resurgent in Ukraine and Russia in recent months.

While this is not to suggest that these networks have somehow been resurrected, it’s concerning to observe increases to the threat posed by this malware localized to countries directly involved in a major conflict.

Some of the biggest sustained increases in malware activity since the war began were in Ukraine have related to trojans, several of which can be used to create botnets. This suggests that bad actors may have been targeting Ukraine, where cybersecurity has naturally been a lower priority for much of the population, in order to expand their botnets.

This theory is lent further weight by our discovery of a massive localized surge in activity from Ukraine IPs by a notorious worm that forms a botnet as it spreads.

Not only does this have repercussions for Ukrainians with infected zombie devices but also for the rest of the world, due to the increased threat posed by botnet expansion.

FURTHER READING: We are monitoring the destruction of internet infrastructure as part of our Ukraine digital rights violations tracker.

While the biggest relative increases in malware activity have come from Ukraine IP addresses, there have also been notable localized increases in trojan malware activity in Russia that outstrip global trends.

One potential reason for this trend could be efforts to target Russia by Ukraine-based hacktivists and their supporters around the world, who have also been involved in retaliatory DDOS attacks.[2][3]

As well as looking at localized increases in malware with the potential to accelerate the spread of dangerous botnets, we also analyzed botnet activity and found that DDOS attacks from Ukraine IP addresses skyrocketed by over 360% in March compared to before February.

It’s likely that at least some of these IP addresses were used to attack local targets in Ukraine and over the border in Russia, as the spike correlates with reported DDOS attacks in the region. However, the majority of the impact was most likely to be greater elsewhere on traditional targets, such as the U.S.

The map below shows how during October application layer attacks from Ukraine IPs was greatly concentrated on the U.S and the UK, with only a small fraction of the total focused on Ukraine and Russia.

Screengrab showing top 10 targets of application layer attacks from Ukraine during October 2022. Source: Cloudflare Radar.

Screengrab showing top 10 targets of application layer attacks from Ukraine during October 2022. Source: Cloudflare Radar.

Use the links below to read detailed analysis of localized increases in activity by individual malware families since February:

Unless noted otherwise, our method for calculating increases in malware activity is to compare the relevant period with the average over the 90 days prior to February 24. See our methodology for more detail on our approach.

Why did we do this research? The invasion of Ukraine is the first major conflict where there has also been impact in cyberspace. Large scale cyber attacks are carried out by huge botnets, which are largely made up of unsecured consumer devices that have been infected by malware.

By bringing attention to this cybersecurity issue and its real-world consequences that reach way beyond the owner of an infected device, we hope to improve consumer cybersecurity standards overall.

Trojan Malware

Trojan is an umbrella term for malware that’s disguised as something else, such as an email attachment or software download, and conceals itself once it has gained access to a target device. The name comes from the ancient Greek story of the Trojan horse used to sneak soldiers into the besieged city of Troy.

Trojans can be standalone malware, act as a downloader for additional malware, or open the system for future attacks.

Our analysis of Shadow Server sinkhole data reveals that there has been unusual activity among the following specific Trojans originating from Russian and Ukrainian IP addresses since February.

Citadel

Citadel malware targets credentials stored in password managers like Keepass and Password Safe through its keylogging capabilities. Originally designed to steal financial information, it is often also used to conscript infected devices to a botnet.

Citadel is based on the notorious Zeus trojan.

The chart below shows the daily increases in Citadel trojan activity compared to the baseline for Russia, Ukraine and globally.

Chart showing daily increases in Citadel trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in Citadel trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior.

Increases in Citadel malware activity originating in Ukraine lagged significantly behind the global average in the first full months of the war. Citadel malware out of Russia, by comparison, slightly outstripped the overall trend.

That changed from May when there was a massive surge in Citadel trojan activity from Ukraine IPs, when it increased 3,181% compared to the baseline. This increase was double the global trend and almost 11 times (968%) higher than it was nationally the year before.

This outsized contribution by Ukraine IPs to the worldwide increase in Citadel trojan activity continued until September when it began to dip below the global trend, whose growth had started to accelerate once more.

Notably, Citadel activity from Russian IPs lagged behind the global average during this period, only to pick up as Ukrainian activity began to slow and the two converged.

While Citadel trojan activity out of Russia did not increase as much as it did from Ukraine compared to the 90 days prior to February 24, the year-over-year difference has been more pronounced. It has been 1,486% higher on average over the course of the war to date compared with the same period in 2021.

The following table shows the month-by-month increases in the number of unique IP addresses involved in Citadel activity originating from Ukraine, Russia and the rest of the world compared to the average over the 90 days prior to February 24.

CoreBOT

CoreBOT is a banking trojan that targets the customers of specific banks and attempts to harvest login credentials.

It is sophisticated malware that uses multiple obfuscation techniques to avoid detection and is highly adaptable. CoreBOT connects to domains registered to someone with a Russian address.[4]

The chart below shows the daily increases in CoreBOT trojan activity compared to before 24 February 2022 for Russia, Ukraine and globally.

Chart showing daily increases in CoreBOT malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in CoreBOT malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior.

CoreBOT activity from Ukraine IP addresses has followed a similar pattern to that of Conficker, albeit with a less meteoric increase, and at odds with global trends.

As with Conficker, the biggest increase in CoreBOT activity since the invasion was in September when it more than doubled (126%) compared to levels prior to February 2022.

This spike was also a 60% increase year-over-year.

Russian CoreBOT activity lagged notably behind the global average and was either close to flat or declined compared to both the 90-day baseline and year-over-year.

The following table shows the month-by-month increases in the number of unique IP addresses detected as the source of CoreBOT trojan activity in Ukraine, Russia and the rest of the world compared to the average over the 90 days prior to February 24.

Wauchos

Wauchos is a trojan that connects to remote servers to download additional malware over the internet onto the infected device that stole users’ password data.

The Wauchos trojan once powered a long-running, massive botnet of the same name that was also known as Gamarue or Andromeda, which was taken down in 2017.[5]

While Wauchos is no doubt a shadow of its former self, and overall numbers worldwide remain small, it remains potentially very dangerous malware.

The chart below shows the daily increases in Wauchos trojan activity compared to before 24 February 2022 for Russia, Ukraine and globally.

Chart showing daily increases in Wauchos trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in Wauchos trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior.

Wauchos activity has largely been in recession since February, in Russia, Ukraine and globally, compared with the baseline.

However, in July there was an anomalous spike when Wauchos activity originating from Russian IPs increased by 27% on average for the month compared to the baseline and 54% year-over-year. This was driven by three unusually high days between July 22 and 24 that peaked at 606% higher than the baseline.

This followed a smaller 11% increase out of Ukraine in June. Activity has since plunged to well below baseline levels.

The following table shows the month-by-month increases in the number of unique IP addresses detected as the source of Wauchos trojan activity in Ukraine, Russia and the rest of the world compared to the average over the 90 days prior to February 24.

Nivdort

Nivdort is trojan malware that can steal stored passwords and other sensitive information, sending the stolen data to a remote server. It can also act as a keylogger and as a dropper for other malware.

This trojan mainly infects Windows machines and is spread via spam email attachments.

The chart below shows the daily increases in Nivdort trojan activity compared to before 24 February 2022 for Russia, Ukraine and globally.

Chart showing daily increases in Nivdort trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in Nivdort trojan malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior.

Increases in Nivdort trojan activity originating from Ukraine or Russian IP addresses have been significantly greater than the global average for almost the entire period since February 24.

Nivdort activity out of Russia peaked in May at 187% higher than before February and 934% higher year-over-year.

Activity originating from Ukraine IPs had been on average 28% higher than the baseline until September when it shot up by 325% compared to the average prior to February. It was also up 258% year-over-year.

This was the same month that saw large spikes in CoreBOT and Conficker activity.

The following table shows the month-by-month increases in the number of unique IP addresses detected as the source of Nivdort trojan activity in Ukraine, Russia and the rest of the world compared to the average over the 90 days prior to February 24.

Avalanche Malware

Avalanche was a group of cybercriminals operating a crimeware-as-a-service botnet of the same name, which was taken down by law enforcement in 2016. At least 17 malware families were hosted on domains controlled by the group.

These malware families persist despite the destruction of the Avalanche network, albeit with their reach much diminished, often as part of malware payloads distributed by other botnets.

We found unusually intense activity originating from IP addresses in Russia and Ukraine among three of these malware families since the end of February.

  • avalanche-nymaim
  • avalanche-matsnu
  • avalanche-ranbyus

Nymaim is a trojan downloader and a primary malware family previously hosted on Avalanche. Nymaim downloads and then runs other malware, such as banking trojans, on infected systems. It can also be expanded to capture log-in details for email and FTP.

Nymaim has been detected in PrivateLoader, one of the currently most-used malware loaders, which is believed to be operated by a prominent Russian pay-per-install malware group called ruzki.[6]

A similar trojan downloader with significant activity originating in Russia and Ukraine is Matsnu.

Ranbyus is a banking trojan that can also capture email log-in details.

The following chart shows changing activity levels originating from Ukraine IP addresses for these three Avalanche malware families (Nymaim, Matsnu and Ranbyus). It compares the monthly average number of Ukrainian source IP addresses for this malware since February 24 with the average over the 90 days prior.

Chart showing notable increases in Avalanche malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Notable increases in Avalanche malware activity originating in Ukraine since February 24 compared with the average over the 90 days prior.

While activity was significantly up in February, it actually plunged to close to baseline levels the following month (Matsnu) or even below that (Nymaim, Ranbyus).

Only once the DDOS activity in Ukraine had settled by April, did first the malware loaders Matsnu (53%) and Nymaim (82%) peak. Banking trojan Ranbyus peaked the following month at 101% above baseline levels. While the malware loader activity remained elevated, Ranbyus activity out of Ukraine has since tailed off to only slightly above normal levels.

The chart below shows the daily increases in Nymaim activity compared to the average over the 90 days prior to February 24 for Russia, Ukraine and globally.

Chart showing daily increases in Avalanche-Nymaim malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in Avalanche-Nymaim malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior.

The malware loader Nymaim has had the biggest individual daily spikes in activity since the end of February, specifically Nymaim malware originating from Ukraine IP addresses.

The surge of April 20 was part of a worldwide increase in Nymaim activity but Ukraine IPs had an outsize role in this, the 1,517% spike almost four times the global trend.

Other large spikes in Nymaim activity in Ukraine and Russia ran counter to global trends, such as the 358% increase on February 27 from Ukraine IPs and 252% out of Russia on the same date. Nymaim activity was only up 42% globally that day, which is 28% below the global average over the whole period of the war. In comparison, the Ukraine activity was over ten times above the national average, while for Russian IPs it was over seven times the national average.

The following chart illustrates month-by-month increases in the same types of activity (Matsnu, Nymaim and Ranbyus) originating from Russian IP addresses compared to the average over the 90 days prior to February 24.

Chart showing notable increases in Avalanche-Nymaim, Matsnu and Ranbyus malware activity originating in Russia since February 24 compared with the average over the 90 days prior

Chart showing notable increases in Avalanche-Nymaim, Matsnu and and Ranbyus malware activity originating in Russia since February 24 compared with the average over the 90 days prior.

Nymaim and Matsnu activity out of Russia followed a similar trend to that of Ukraine in the early months of the war, until August when it began to climb then peak in September, Matsnu (109%) in particular.

Ranbyus activity did not follow quite the same pattern, increasing slowly at first before slowing in June and July ahead of a similar if weaker rise as the other Avalanche malware we looked at in August and September.

The following table shows the month-by-month increases in the number of unique IP addresses involved in Avalanche-Nymaim activity originating from Ukraine compared to the average over the 90 days prior to February 24.

The following table shows the month-by-month increases in the number of unique IP addresses involved in Avalanche-Nymaim activity originating from Russia compared to the average over the 90 days prior February 24.

Conficker Worm

Conficker (AKA Downadup, Downup and Kido) is a worm that disables several Windows services and security features, downloads files and runs malicious code. First appearing in 2008, Conficker has been described as among the most successful malware of all time due its longevity.[7]

Conficker propagates from one machine to another via brute force attacks, forming a botnet as it spreads. It is thought to have been the work of Ukrainian cybercriminals.[8]

The chart below shows the daily increases in activity by the Conficker worm since February 24 compared to the average over the 90 days prior for Russia, Ukraine and globally.

Chart showing daily increases in Conficker worm malware activity originating in Ukraine, Russia and the rest of the world since February 24 compared with the average over the 90 days prior

Chart showing daily increases in Conficker worm malware activity originating in Ukraine, Russia and the rest of the world since the start of the war compared with pre-invasion levels.

Conficker worm activity from Ukraine IPs surged massively in September, increasing by 954% compared with baseline levels. This was almost four times as big of an increase compared to the rest of the world that month.

It also stands out in comparison to the rest of the period since then when the national average in Ukraine was either similar to or less pronounced than the global trend.

The September spike was also a more than four-fold (329%) year-over-year increase.

The following table shows the month-by-month increases in the number of unique IP addresses detected as the source of Conficker worm activity in Ukraine, Russia and the rest of the world compared to the average over the 90 days prior February 24.

DDOS

DDOS attacks prevent access to critical internet services, such as government systems, banking and retail, by flooding them with massively more traffic than they can handle, often forcing them to crash and go offline.

Hackers remotely control large clusters of networked devices that have been infected with malware, known as botnets, to launch these attacks. The emergence of DDOS-for-hire has made it easier than ever to skip the step of building your own botnet to launch overwhelming DDOS attacks.[9]

This graph shows how the volume of DDOS attacks originating from Russia and Ukraine has increased month by month over since the end of February.

Chart comparing changes to number of unique IP addresses involved in DDOS cyber attacks originating from Ukraine and Russia, by month, with the 90-day average prior to February

Chart comparing increases in number of unique IP addresses involved in DDOS cyber attacks originating from Ukraine and Russia, by month, with the 90-day average prior to February.

DDOS attacks out of Ukraine ramped up significantly in March, when the average number of Ukrainian IP addresses involved in this kind of attack increased by 363% compared to the 90 days prior to February 24. The single most intense day was on March 31 when DDOS activity originating from Ukraine was 1,909% higher than the baseline.

DDOS attacks originating from Russian IP addresses actually peaked early the following month on April 10 at 1,003% higher than the baseline. For context, there were almost three times as many Russian IP addresses involved in DDOS attacks that day as during the heaviest barrage from Ukraine IPs 11 days previously.

After that overwhelming single-day surge, DDOS attacks originating from Russia were almost all significantly below baseline levels, greatly reducing the average for April.

Chart comparing daily changes in number of unique IP addresses involved in DDOS cyber attacks originating from Ukraine and Russia with the 90-day average prior to the end of February

Chart comparing daily changes in number of unique IP addresses involved in DDOS cyber attacks originating from Ukraine and Russia with the 90-day average prior to the end of February.

Notably, attacks originating from both countries have followed a very similar pattern since then. DDOS attacks in April and May were still larger in scope they they were before the end of February, but pale in comparison to the March peak, before fading away almost completely.

The following table shows the month-by-month increases in the number of unique IP addresses from each country involved in DDOS attacks compared to the average over the 90 days prior to February 24.

Methodology

We sourced data for this research from The Shadowserver Foundation from February to October 2022.

To conduct our analysis, we calculated the average number of unique IP addresses involved in each type of cyber attack over 90 days prior to February 24 in order to set a baseline. All percentage changes are calculated as the difference from the relevant baseline figure.

The authors of all our investigations abide by the journalists’ code of conduct.

References

[1] https://www.ncsc.gov.uk/news/russia-ddos-involvement-in-ukraine

[2] https://www.wired.co.uk/article/russia-hacked-attacks

[3] https://www.itpro.co.uk/security/botnets/367744/ukraines-vigilante-it-army-deploys-ddos-bot-automate-russia-attacks

[4] https://threatpost.com/corebot-malware-steals-credentials-for-now/114475/

[5] https://www.europol.europa.eu/media-press/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation

[6] https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/

[7] https://www.forbes.com/sites/johndunn/2020/09/14/after-12-years-malwares-puzzling-nuisance-worm-conficker-refuses-to-die/

[8] https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html

[9] https://www.wired.com/story/ddos-for-hire-fueling-new-wave-attacks/