Russian-aligned threat actors have been observed targeting financial institutions in Europe as part of social engineering attacks likely to facilitate intelligence gathering and financial theft, suggesting threat actors’ targeting may expand beyond Ukraine to organizations supporting the war-torn nation.
This activity targeted anonymous organizations involved in regional development and reconstruction efforts and is believed to be the work of a cybercriminal group tracked as UAC-0050 (also known as DaVinci Group). BlueVoyant has named the threat cluster Mercenary Akula. This attack was observed earlier this month.
“The attack spoofed a Ukrainian judicial domain and delivered an email containing a link to a remote access payload,” researchers Patrick McHale and Joshua Green said in a report shared with Hacker News. “The target was a senior legal and policy advisor involved in procurement, a role with privileged insight into agency operations and financial mechanisms.”
The starting point is a spear phishing email that uses a legitimate theme and instructs the recipient to download an archive file hosted on PixelDrain. PixelDrain is a file sharing service used by threat actors to bypass reputation-based security controls.
ZIP is responsible for starting a multi-layer infection chain. Inside the ZIP file is a RAR archive containing a password-protected 7-Zip file. This file contains an executable that uses the widely exploited double extension trick (*.pdf.exe) to disguise itself as a PDF document.
When run, it deploys an MSI installer for Remote Manipulator System (RMS), a Russian remote desktop software that allows remote control, desktop sharing, and file transfer.
“The use of such ‘extraterrestrial’ tools allows attackers to gain persistent and stealth access, while often evading traditional antivirus detection,” the researchers note.
The use of RMS is consistent with previous UAC-0050 modus operandi, where the attacker is known to drop legitimate remote access software such as LiteManager and remote access Trojans such as RemcosRAT in attacks targeting Ukraine.
The Computer Emergency Response Team of Ukraine (CERT-UA) characterizes UAC-0050 as a mercenary group associated with Russian law enforcement agencies that conducts data collection, financial theft, intelligence and psychological operations under the Fire Cells brand.
“This attack reflects Mercenary Akula’s established and repetitive attack profile, while also making notable developments,” BlueVoyant said. “Firstly, their targets were primarily focused on organizations based in Ukraine, particularly accountants and financial personnel. However, this case does hint at possible investigations into Western European support agencies for Ukraine.”
The disclosures come as Ukraine reveals that Russian cyberattacks targeting the country’s energy infrastructure are increasingly focused on gathering intelligence to guide missile strikes, rather than immediately disrupting operations, The Record reported.
Cybersecurity firm CrowdStrike said in its annual Global Threat Report that it expects Russian-aligned adversaries to continue aggressive operations aimed at gathering intelligence from targets in Ukraine and NATO allies.
This includes efforts by APT29 (also known as Cozy Bear and Midnight Blizzard) to “systematically” abuse trust, organizational credibility, and platform legitimacy to gain unauthorized access to victims’ Microsoft accounts as part of a spear-phishing campaign targeting U.S.-based nongovernmental organizations (NGOs) and U.S.-based corporations.
“Cozy Bear was able to successfully compromise and impersonate individuals with whom the targeted users maintained a trusted professional relationship,” CrowdStrike said. “Individuals impersonating included employees of international NGO branches and pro-Ukrainian organizations.”
“The attackers have invested heavily in demonstrating these impersonations using the legitimate email accounts of compromised individuals, alongside burner communication channels to enhance credibility.”
Source link
