Skip to content

G1003 Ember Bear

Ember Bear is a suspected Russian state-sponsored cyber espionage group that has been active since at least March 2021. Ember Bear has primarily focused their operations against Ukraine and Georgia, but has also targeted Western European and North American foreign ministries, pharmaceutical companies, and financial sector organizations. Security researchers assess Ember Bear likely conducted the WhisperGate destructive wiper attacks against Ukraine in early 2022.123

Item Value
ID G1003
Associated Names Saint Bear, UNC2589, UAC-0056, Lorec53, Lorec Bear, Bleeding Bear
Version 1.1
Created 09 June 2022
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Saint Bear 1
UNC2589 2
UAC-0056 1
Lorec53 1
Lorec Bear 1
Bleeding Bear 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Ember Bear has used PowerShell to download and execute malicious code.3
enterprise T1059.003 Windows Command Shell Ember Bear had used cmd.exe and Windows Script Host (wscript) to execute malicious code.3
enterprise T1059.007 JavaScript Ember Bear has used JavaScript to execute malicious code on a victim’s machine.3
enterprise T1203 Exploitation for Client Execution Ember Bear has exploited Microsoft Office vulnerability CVE-2017-11882.3
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Ember Bear has executed a batch script designed to disable Windows Defender on a compromised host.3
enterprise T1105 Ingress Tool Transfer Ember Bear has used tools to download malicious code.3
enterprise T1112 Modify Registry Ember Bear has used an open source batch script to modify Windows Defender registry keys.3
enterprise T1027 Obfuscated Files or Information Ember Bear has obfuscated malware to help avoid detection.3
enterprise T1027.001 Binary Padding Ember Bear has added extra spaces between JavaScript code characters to increase the overall file size.3
enterprise T1027.002 Software Packing Ember Bear has packed malware to help avoid detection.3
enterprise T1027.010 Command Obfuscation Ember Bear has obfuscated malicious scripts to help avoid detection.3
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Ember Bear has obtained and used open source scripts from GitHub.3
enterprise T1588.003 Code Signing Certificates Ember Bear has stolen legitimate certificates to sign malicious payloads.3
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Ember Bear has sent spearphishing emails containing malicious attachments in the form of PDFs, Word documents, JavaScript files, and Control Panel File (CPL) executables.3
enterprise T1566.002 Spearphishing Link Ember Bear has sent spearphishing emails containing malicious links.3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.002 Code Signing Ember Bear has used stolen certificates from Electrum Technologies GmbH to sign payloads.3
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.002 Control Panel Ember Bear has used control panel files (CPL), delivered via e-mail, for execution.3
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.3
enterprise T1204.002 Malicious File Ember Bear has attempted to lure victims into executing malicious files.3
enterprise T1102 Web Service Ember Bear has used Discord’s content delivery network (CDN) to deliver malware and malicious scripts to a compromised host.3

Software

ID Name References Techniques
S1017 OutSteel 3 Web Protocols:Application Layer Protocol Automated Collection Automated Exfiltration Windows Command Shell:Command and Scripting Interpreter Data from Local System Exfiltration Over C2 Channel File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Malicious Link:User Execution Malicious File:User Execution
S1018 Saint Bot 3 Bypass User Account Control:Abuse Elevation Control Mechanism Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Standard Encoding:Data Encoding Data from Local System Debugger Evasion Deobfuscate/Decode Files or Information File and Directory Discovery File Deletion:Indicator Removal Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Masquerading Native API Software Packing:Obfuscated Files or Information Obfuscated Files or Information Spearphishing Link:Phishing Spearphishing Attachment:Phishing Process Discovery Process Hollowing:Process Injection Dynamic-link Library Injection:Process Injection Asynchronous Procedure Call:Process Injection Query Registry Scheduled Task:Scheduled Task/Job InstallUtil:System Binary Proxy Execution Regsvr32:System Binary Proxy Execution System Information Discovery System Location Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Malicious Link:User Execution Time Based Evasion:Virtualization/Sandbox Evasion System Checks:Virtualization/Sandbox Evasion
S0689 WhisperGate 12 Create Process with Token:Access Token Manipulation Web Protocols:Application Layer Protocol Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Data Destruction Deobfuscate/Decode Files or Information Disk Structure Wipe:Disk Wipe Disk Content Wipe:Disk Wipe File and Directory Discovery Disable or Modify Tools:Impair Defenses File Deletion:Indicator Removal Ingress Tool Transfer Masquerading Native API Network Share Discovery Obfuscated Files or Information Bootkit:Pre-OS Boot Process Hollowing:Process Injection Reflective Code Loading Security Software Discovery:Software Discovery InstallUtil:System Binary Proxy Execution System Information Discovery Service Execution:System Services System Shutdown/Reboot System Checks:Virtualization/Sandbox Evasion Time Based Evasion:Virtualization/Sandbox Evasion Web Service

References

  1. CrowdStrike. (2022, March 30). Who is EMBER BEAR?. Retrieved June 9, 2022. 

  2. Sadowski, J; Hall, R. (2022, March 4). Responses to Russia’s Invasion of Ukraine Likely to Spur Retaliation. Retrieved June 9, 2022. 

  3. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.