The Pc Emergency Response Staff of Ukraine (CERT-UA) has revealed a brand new set of cyber assaults focusing on Ukrainian establishments with information-stealing malware.
The exercise is geared toward army formations, regulation enforcement companies, and native self-government our bodies, significantly these positioned close to Ukraine’s jap border, the company stated.
The assaults contain distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, amenities the deployment of two items of malware, a PowerShell script taken from the PSSW100AVB (“Powershell Scripts With 100% AV Bypass”) GitHub repository that opens a reverse shell, and a beforehand undocumented stealer dubbed GIFTEDCROOK.
“File names and e mail topic strains reference related and delicate points resembling demining, administrative fines, UAV manufacturing, and compensation for destroyed property,” CERT-UA stated.
“These spreadsheets include malicious code which, upon opening the doc and enabling macros, robotically transforms into malware and executes with out the consumer’s data.”
Written in C/C++, GIFTEDCROOK facilitates the theft of delicate knowledge from net browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, resembling cookies, searching historical past, and authentication knowledge.
The e-mail messages are despatched from compromised accounts, usually through the net interface of e mail purchasers, to lend the messages a veneer of legitimacy, and trick potential victims into opening the paperwork. CERT-UA has attributed the exercise to a risk cluster UAC-0226, though it has not been linked to a selected nation.
The event comes as a suspected Russia-nexus espionage actor dubbed UNC5837 has been linked to a phishing marketing campaign focusing on European authorities and army organizations in October 2024.
“The marketing campaign employed signed .RDP file attachments to ascertain Distant Desktop Protocol (RDP) connections from victims’ machines,” the Google Menace Intelligence Group (GTIG) stated.
“In contrast to typical RDP assaults centered on interactive periods, this marketing campaign creatively leveraged useful resource redirection (mapping sufferer file programs to the attacker servers) and RemoteApps (presenting attacker-controlled functions to victims).”
It is price noting that the RDP marketing campaign was beforehand documented by CERT-UA, Amazon Internet Providers, and Microsoft in October 2024 and subsequently by Development Micro in December. CERT-UA is monitoring the exercise beneath the identify UAC-0215, whereas the others have attributed it to the Russian state-sponsored hacking group APT29.
The assault can be notable for the possible use of an open-source software referred to as PyRDP to automate malicious actions resembling file exfiltration and clipboard seize, together with probably delicate knowledge like passwords.
“The marketing campaign possible enabled attackers to learn sufferer drives, steal information, seize clipboard knowledge (together with passwords), and procure sufferer setting variables,” the GTIG stated in a Monday report. “UNC5837’s main goal seems to be espionage and file stealing.”
In latest months, phishing campaigns have additionally been noticed utilizing faux CAPTCHAs and Cloudflare Turnstile to distribute Legion Loader (aka Satacom), which then serves as a conduit to drop a malicious Chromium-based browser extension named “Save to Google Drive.”
“The preliminary payload is unfold through a drive-by obtain an infection that begins when a sufferer searches for a selected doc and is lured to a malicious web site,” Netskope Menace Labs stated. “The downloaded doc comprises a CAPTCHA that, as soon as clicked by the sufferer, will redirect it to a Cloudflare Turnstile CAPTCHA after which ultimately to a notification web page.”
The web page prompts customers to permit notifications on the positioning, after which the victims are redirected to a second Cloudflare Turnstile CAPTCHA that, upon completion, is redirected once more to a web page that gives ClickFix-style directions to obtain the doc they’re in search of.
In actuality, the assault paves the best way for the supply and execution of an MSI installer file that is accountable for launching Legion Loader, which, in flip, performs a collection of steps to obtain and run interim PowerShell scripts, finally including the rogue browser extension to the browser.
The PowerShell script additionally terminates the browser session for the extension to be enabled, activates developer mode within the settings, and relaunches the browser. The tip objective is to seize a variety of delicate info and exfiltrate it to the attackers.
