The Ukrainian entities are being targeted as part of a phishing campaign designed to distribute remote access trojans called Remcos Rat.
“The filename uses Russian as the lure, which is related to the movement of the Ukrainian military,” Cisco Talos researcher Guilherme Venere said in a report released last week. “PowerShell Downloader will contact Geofence servers located in Russia and Germany to download the second stage ZIP file, including the REMCOS backdoor.”
This activity is attributed to a Russian hacking group known as Gamaredon with moderate confidence. This is also tracked under Aqua Blizzard, Armageddon, Blue Otso, Bluealpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident URSA, UAC-0010, UNC530, and winter seasons.
Threat leaders, rated as affiliated with the Russian Federation Security Bureau (FSB), are known for targeting Ukrainian organisations on spying and data theft. It has been operational since at least 2013.
The latest campaign features the distribution of compressed Windows Shortcuts (LNK) files within a ZIP archive, which impersonates them as Microsoft Office Documents related to the ongoing Russo-Ukrainian War to open recipients. These archives are thought to be sent via phishing email.
The link to Gamaredon is attributed to the use of two machines that were used to create malicious shortcut files and previously used for similar purposes by threat actors.
The LNK file is equipped with PowerShell code responsible for downloading and running the next stage payload CMDLET Get-Command, and repeats retrieving the decoy file that is displayed to the victim.
The second stage is a separate ZIP archive, which contains malicious DLLs that are executed via a technique called DLL sideloading. A DLL is a loader that decrypts and executes the final REMCOS payload from encrypted files that reside in an archive.
This disclosure comes as Silent Push has detailed its phishing campaign and has come to use website lures to collect information about Russian individuals sympathetic to Ukraine. This activity is considered to be the work of either the Russian Intelligence Agency or the threat actor alongside Russia.
The campaign consists of four major phishing clusters, consisting of the US Central Intelligence Agency (CIA), Russian volunteer squadrons, Legion Liberty, and Hochujit, “I Want to Live.”
We found that the phishing page is hosted on bulletproof hosting provider Nybula LLC, as threat actors rely on Google Forms and email responses to collect personal information from victims.
“All campaigns […] What was observed has similar properties and shares a common purpose. Silent Push said that he will collect personal information from victims visiting the site.
Source link
