The Laptop Emergency Response Group of Ukraine (CERT-UA) has warned of a brand new set of cyber assaults that it stated had been geared toward protection corporations within the nation in addition to its safety and protection forces.
The phishing assaults have been attributed to a Russia-linked menace actor referred to as UAC-0185 (aka UNC4221), which has been lively since no less than 2022.
“The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs,” CERT-UA stated. “The emails marketed a convention held on December fifth in Kyiv, geared toward aligning the merchandise of home protection trade corporations with NATO requirements.”
The e-mail messages come embedded with a malicious URL that urges the recipients to click on on it to view “essential info” associated to their participation within the convention.
However in actuality, doing so ends in the obtain of a Home windows shortcut file that, upon opening, is designed to execute an HTML Software, which, in flip, accommodates JavaScript code liable for working PowerShell instructions which can be able to loading next-stage payloads.
This features a decoy file and a ZIP archive that accommodates a batch script, one other HTML Software, and an executable file. Within the last step, the batch script is launched to run the HTML Software file, which, then, runs the MeshAgent binary on the host, granting the attackers distant management over the compromised system.
CERT-UA stated the menace actor is primarily targeted on stealing credentials related to messaging apps like Sign, Telegram, and WhatsApp, and Ukraine’s navy techniques resembling DELTA, Teneta, and Kropyva.
“The hackers have additionally launched various cyber assaults to get unauthorized entry to the PCs of defence corporations’ employees and representatives of the safety and defence forces,” the company stated.
In line with Google-owned Mandiant, which uncovered UNC4221 on the SentinelLabs LABScon safety convention earlier this September, the menace actor is identified for accumulating “battlefield-relevant information by using Android malware, phishing operations masquerading as Ukrainian navy functions, and operations focusing on well-liked messaging platforms like Telegram and WhatsApp.”
