Digital Map Users Lured Into Installing Malware that Looked for Office Files(MihirBagwe) •
December 19, 2022 Kyiv after a Russian drone attack on Oct. 17, 2022 (Image: State Emergency Service of Ukraine)
The Ukrainian military agency that weeks ago unveiled a battlefield situational awareness tool notified the national cybersecurity response team of a phishing campaign whose operators intend to steal files and siphon internet browser data.
The Ukrainian Computer Emergency Response Team said the campaign targeted users of the situational awareness tool, which the Center for Innovations and Development of Defense Technologies within the Ministry of Defense dubbed Delta at its October public unveiling. Delta is a digital map accessible on multiple devices including a smartphone. The center notified CERT-UA about the campaign on Dec. 17, leading to Sunday’s warning from CERT-UA.
The phishing hook, which came from a compromised Ministry of Defense email address, told recipients they must update Delta certificates in order to maintain access.
The Ukrainian government describes Delta as providing a comprehensive digital overview of the battlefield by integrating data from different sources, including intelligence and sensors. The government announced Delta during a NATO event held in Virginia.
Ukraine continues to fight Russia troops after the Kremlin invaded Ukraine in February (see: Major Takeaways: Cyber Operations During Russia-Ukraine War Details of the Campaign).
Details of the Campaign
The phishing email included a PDF attachment supposedly containing further instructions, including an embedded link that, when clicked, led to a phishing website mimicking the legitimate Delta logon website but in actuality belonging to the delta-storages.com domain. Data kept by the Internet Corporation for Assigned Names and Numbers show an unknown party registered the domain on Dec. 15.
The executable contained in the malicious malicious zip file users were urged to download from the site was also compiled and digitally signed on Dec. 15, CERT-UA says. In order to make the infection process appear legitimate, it ran an application simulating the certificate installation process on a Windows desktop.
The malware launched two malicious applications: One dubbed by CERT-UA as “FateGrab,” looked for files associated with documents such as Microsoft Office file extensions and also for files such as stored PowerShell commands or script files. The threat actor’s exfiltration method was FTP.
The other application, designated as “StealDeal,” stole internet browser data.
Whoever encoded the malware – CERT-UA designates the threat actor as UAC-0142 without making further attribution – protected it with VMProtect. Finnish cybersecurity firm F-Secure describes VMProtect as”a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult.”
Phishing ranks high among the digital attack vectors used against Ukraine, said State Service for Special Communications and Information Protection of Ukraine Chairman, Yuriy Shchyhol in a June interview with Liga.tech. Phishing accounts for about two thirds of all cyberattack entry points and government officials and ordinary citizens alike have difficulty in recognizing phishing emails, Shchyhol said.
Source: Read More