The Ukrainian Computer Emergency Response Team (CERT-UA) has revealed that more than three cyberattacks have been recorded against the country’s national control bodies and critical infrastructure facilities with the aim of stealing sensitive data.
According to the campaign, the campaign uses compromised email accounts to send phishing messages that contain links pointing to legitimate services such as DropMefiles and Google Drive. In some cases, the links are embedded in PDF attachments.
Digital Missib attempted to induce a false sense of urgency by claiming that Ukrainian government agencies would cut their payroll, urging recipients to click on the link to view a list of affected employees.
Accessing these links will lead to downloading a Visual Basic Script (VBS) loader designed to get and run PowerShell scripts that can harvest specific sets of extensions and files that capture screenshots.
Activities attributed to threat clusters tracked as UAC-0219 have been ongoing since at least fall 2024, and early iterations are said to be ongoing using legitimate image editor software to achieve your goals using EXE binaries, VBS Steelers, and legitimate image editor software called IRFANVIEW.
CERT-UA gave Monica Rex Steel to its VBS loader and PowerShell malware. The attacks were not attributed to any country.
The development warned that Kaspersky warned that a threat actor known as Headmare would target several Russian entities with malware that could handle instructions issued by operators on command and control (C2) servers, and download and run additional payloads like Meshagent.
Suppliers and developers of Russian energy, industrial and electronic component organizations were also found on the receivers of phishing attacks attached by unicorns with threat actor codenames that dropped a VBS Trojan horse designed to suck up files and images from infected hosts.
Later last month, Seqrite Labs revealed that Russian academic, government, aerospace and defense-related networks are being targeted by weaponized decoy documents, possibly sent via phishing emails, as part of a campaign called Operation Holokill. The attack is believed to have started around December 2024.
The activity uses social engineering tricks to disguise malware-equipped PDFs as research invitations, and tempt government communicatures that entice unsuspecting users to trigger an attack chain.
“The threat entity provides malicious RAR files containing .NET malware droppers. This removes more decoy-based PDFs with Goran-based shellcode loaders and legal OneDrive applications as well as final cobalt strike payloads.”
Source link
