On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published two advisories on the hacking incidents, suspected of being the work of threat groups APT28 – also known as Fancy Bear – and UAC-0098.
The phishing campaign, conducted by Russian advanced persistent threat (APT) APT28, sees it attempting to spread a malicious document titled, “Nuclear Terrorism A Very Real Threat”. Distribution is suspected of being carried out on June 10.
SEE: Ransomware attacks: This is the data that cyber criminals really want to steal
UAC-0098’s hacking attempts also begins with a malicious email. The phishing messages have a malware document attached, “Imposition of penalties.docx,” and its distribution has been described as “persistent” with an original compilation date of June 16.
This document is also spread through a password-protected archive, fraudulently passed off as communication from Ukraine’s tax office, with the subject line: “Notice of non-payment of tax.”
When opened, both documents automatically download an HTML file that initiates malicious JavaScript code containing an exploit for CVE-2022-30190.
Issued a CVSS severity score of 7.8, CVE-2022-30190 is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, first emerged as a zero-day flaw in May.
If the target system has not been protected, victims of Fancy Bear’s attacks will find their systems infected with the CredoMap malware.
According to Malwarebytes, CredoMap is an information stealer able to exfiltrate browser data, cookies, and account credentials. Older variants of the malware have previously been used by APT28 against Ukrainian targets.
The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is a legitimate, commercial penetration-testing tool that has, unfortunately, been abused for malicious purposes by cyber attackers for many years. The tool’s beacon functionality can facilitate remote connections and can be used for the deployment of shellcode and malware.
Since Russia’s invasion of Ukraine began, CERT-UA has pivoted its focus to warning against cyber threats impacting both Ukrainian businesses and residents. Many campaigns are trying to take advantage of the situation, whether on behalf of the Russian state or just as run-of-the-mill attackers trying to make a profit.
SEE: Cloud computing security: Five things you are probably doing wrong
The agency has previously warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and frequent misinformation schemes targeting Ukraine’s residents.
CERT-UA has also alerted Ukrainian media agencies to phishing campaigns, potentially conducted by the Russian Sandworm hacking group, intended to spread the CrescentImp malware.
Previous and related coverage
Ukraine security agencies warn of Ghostwriter threat activity, phishing campaigns Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers Cyberattacks and misinformation activity against Ukraine continues say security researchers
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0