ostap
Intelligence Profile
Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:
AgentSimulator.exe
anti-virus.EXE
BehaviorDumper
BennyDB.exe
ctfmon.exe
fakepos_bin
FrzState2k
gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe)
ImmunityDebugger.exe
KMS Server Service.exe
ProcessHacker
procexp
Proxifier.exe
python
tcpdump
VBoxService
VBoxTray.exe
VmRemoteGuest
vmtoolsd
VMware2B.exe
VzService.exe
winace
Wireshark
If a blacklisted process is found, the malware terminates.
Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.
Threat Analysis
ostap is a known-sophistication threat actor of undetermined national origin, engaged in cyber operations with a primary motivation of unknown activity patterns.