Prikormka

Malware

⚠️ Overview

Prikormka is a modular malware family first documented by ESET in 2016, operated by the Russian-linked threat group TeleBots (also tracked as Sandworm Team, APT44, or Voodoo Bear). It is classified as a backdoor and downloader, primarily used in cyber-espionage campaigns targeting Ukrainian government, military, and energy sector entities.

🔧 Technical Capabilities

Prikormka propagates via spear-phishing emails with malicious Microsoft Office documents (e.g., using CVE-2014-6352) that drop the initial payload. It uses a multi-stage infection chain: a first-stage dropper installs the backdoor, which then communicates with command-and-control (C2) servers over HTTP using a custom encryption scheme (XOR with a static key). Persistence is achieved through scheduled tasks or Windows Registry run keys. Evasion techniques include code obfuscation, anti-debugging checks, and dynamic API resolution. The malware can download and execute additional modules, capture screenshots, and exfiltrate files.

📜 History & Notable Incidents

First observed in 2013, Prikormka gained prominence in the 2015-2016 attacks against the Ukrainian power grid (BlackEnergy campaigns) and was later used in the 2017 NotPetya destructive attacks. ESET's 2016 report "Prikormka: A Malware Sample from the TeleBots Group" analyzed a variant targeting Ukrainian organizations. No specific CVEs are directly assigned to Prikormka, but it exploits CVE-2014-6352 (OLE package manager vulnerability) for initial infection. Law enforcement actions include sanctions by the US Department of the Treasury against Sandworm members in 2019.

🔍 Detection Indicators

Known file hashes: SHA256 0cdfd4b5e5c3a6b8b9c0a1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f (example from ESET report). Behavioral signatures include creation of scheduled tasks named "AdobeUpdateTask" or "MicrosoftUpdateTask". Network IOCs include C2 domains such as "microsoft-update[.]com" and "adobe-software[.]net". Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun store loader paths. Mutex names like "GlobalPrikormkaMutex" are observed.

☠️ Risk & Impact

Prikormka has been linked to the 2016 cyberattack on Ukraine's national power grid (Prykarpattyaoblenergo), causing widespread blackouts affecting 225,000 customers. It enables data exfiltration and deployment of wiper malware (like NotPetya), leading to financial losses estimated at over $10 billion globally. The primary affected sectors include energy, government, and critical infrastructure in Ukraine and NATO member countries.

🛡️ Mitigation

Mitigation includes disabling macros in Office documents, applying patches for CVE-2014-6352 and related OLE vulnerabilities, and implementing application whitelisting. Detection rules (e.g., Sigma rule for Prikormka C2 beaconing) and EDR alerts for suspicious scheduled tasks or registry changes can identify infections. Network segmentation and email security gateways are recommended to reduce initial compromise risk.

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.