The Pc Emergency Response Crew of Ukraine (CERT-UA) has revealed a brand new set of cyber assaults concentrating on Ukrainian establishments with information-stealing malware.
The exercise is aimed toward army formations, legislation enforcement companies, and native self-government our bodies, significantly these positioned close to Ukraine’s jap border, the company stated.
The assaults contain distributing phishing emails containing a macro-enabled Microsoft Excel spreadsheet (XLSM), which, when opened, services the deployment of two items of malware, a PowerShell script taken from the PSSW100AVB (“Powershell Scripts With 100% AV Bypass”) GitHub repository that opens a reverse shell, and a beforehand undocumented stealer dubbed GIFTEDCROOK.
“File names and e-mail topic strains reference related and delicate points reminiscent of demining, administrative fines, UAV manufacturing, and compensation for destroyed property,” CERT-UA stated.
“These spreadsheets include malicious code which, upon opening the doc and enabling macros, mechanically transforms into malware and executes with out the consumer’s data.”
Written in C/C++, GIFTEDCROOK facilitates the theft of delicate information from net browsers like Google Chrome, Microsoft Edge, and Mozilla Firefox, reminiscent of cookies, looking historical past, and authentication information.
The e-mail messages are despatched from compromised accounts, typically by way of the online interface of e-mail purchasers, to lend the messages a veneer of legitimacy, and trick potential victims into opening the paperwork. CERT-UA has attributed the exercise to a menace cluster UAC-0226, though it has not been linked to a selected nation.
The event comes as a suspected Russia-nexus espionage actor dubbed UNC5837 has been linked to a phishing marketing campaign concentrating on European authorities and army organizations in October 2024.
“The marketing campaign employed signed .RDP file attachments to ascertain Distant Desktop Protocol (RDP) connections from victims’ machines,” the Google Menace Intelligence Group (GTIG) stated.
“In contrast to typical RDP assaults centered on interactive classes, this marketing campaign creatively leveraged useful resource redirection (mapping sufferer file methods to the attacker servers) and RemoteApps (presenting attacker-controlled functions to victims).”
It is price noting that the RDP marketing campaign was beforehand documented by CERT-UA, Amazon Internet Companies, and Microsoft in October 2024 and subsequently by Development Micro in December. CERT-UA is monitoring the exercise beneath the identify UAC-0215, whereas the others have attributed it to the Russian state-sponsored hacking group APT29.
The assault can also be notable for the probably use of an open-source instrument referred to as PyRDP to automate malicious actions reminiscent of file exfiltration and clipboard seize, together with probably delicate information like passwords.
“The marketing campaign probably enabled attackers to learn sufferer drives, steal recordsdata, seize clipboard information (together with passwords), and acquire sufferer atmosphere variables,” the GTIG stated in a Monday report. “UNC5837’s major goal seems to be espionage and file stealing.”
In current months, phishing campaigns have additionally been noticed utilizing pretend CAPTCHAs and Cloudflare Turnstile to distribute Legion Loader (aka Satacom), which then serves as a conduit to drop a malicious Chromium-based browser extension named “Save to Google Drive.”
“The preliminary payload is unfold by way of a drive-by obtain an infection that begins when a sufferer searches for a selected doc and is lured to a malicious web site,” Netskope Menace Labs stated. “The downloaded doc comprises a CAPTCHA that, as soon as clicked by the sufferer, will redirect it to a Cloudflare Turnstile CAPTCHA after which finally to a notification web page.”
The web page prompts customers to permit notifications on the positioning, after which the victims are redirected to a second Cloudflare Turnstile CAPTCHA that, upon completion, is redirected once more to a web page that gives ClickFix-style directions to obtain the doc they’re in search of.
In actuality, the assault paves the best way for the supply and execution of an MSI installer file that is answerable for launching Legion Loader, which, in flip, performs a sequence of steps to obtain and run interim PowerShell scripts, finally including the rogue browser extension to the browser.
The PowerShell script additionally terminates the browser session for the extension to be enabled, activates developer mode within the settings, and relaunches the browser. The top objective is to seize a variety of delicate data and exfiltrate it to the attackers.
