GrimPlant

GrimPlant is a Go-based backdoor component of the Elephant malware framework. Public reporting cited here states Elephant was delivered via targeted spear-phishing using spoofed Ukrainian government email addresses and was attributed by CERT-UA to UAC-0056, also tracked as TA471, SaintBear, and UNC2589. CERT-UA reported GrimPlant together with the GraphSteel stealer in March 2022.

Within the Elephant framework, GrimPlant is the implant/backdoor component, while other components include a dropper, a downloader, and the GraphSteel credential/file stealer. GrimPlant allows operators to execute arbitrary PowerShell scripts on an infected Windows machine. In observed delivery chains, phishing lures included links impersonating Ukrainian state bodies and macro-enabled XLS attachments themed around wage arrears. One chain downloaded additional payloads from Discord and saved them as "oracle-java.exe" (GrimPlant) and "microsoft-cortana.exe" (GraphSteel). Another chain used an XLS attachment that created "Base-Update.exe" to download and execute GraphSteel and GrimPlant.

Technically, GrimPlant receives its C2 address via a "-addr" command-line flag, with the address AES-CBC encrypted using a null IV and an embedded key. It hardcodes C2 port 80 and communicates over gRPC with TLS. It embeds a root certificate to validate the C2 server certificate and support certificate rotation without redeploying the malware. GrimPlant authenticates to the C2 server using the password "sdrunlygvhwbcaeiuklgunvre," sends heartbeats every 10 seconds, and polls for commands every 3 seconds.

Related campaign details in the same reporting include Elephant downloader persistence via the Windows Run key Software\Microsoft\Windows\CurrentVersion\Run using the value name "Java-3DK," downloader retrieval from hxxp://194.31.98.124:443/i saved as %HOME%/.java-sdk/java-sdk.exe, and anti-emulation behavior such as sleeping and allocating 200 MB of garbage data. Infrastructure analysis tied the broader Elephant activity to servers observed since at least December 2021, including hosting at Zservers, PQ Hosting, and Serverion, with French-themed certificate metadata and the domain forkscenter[.]fr. Additional campaign indicators mentioned include spoofed sender domain mdfi.gov.ua, sender IP 87.249.139.161, phishing subject "Заборгованість по зарплаті," and dropped filenames "oracle-java.exe," "microsoft-cortana.exe," and "Base-Update.exe."