An alleged Russian hybrid espionage-influence operation was spotted delivering a mixture of Windows and Android malware to target the Ukrainian military called Telegram Civil Defense.
Google Threat Analysis Group (TAG) and Mandiant track activity under the name UNC5812. A threat group that runs a Telegram channel called civildefense_com_uawas created on September 10, 2024. At the time of writing, the channel has 184 subscribers. It also supports the website civildefense.com(.)ua, which was registered on April 24, 2024.
“Civil Defense claims to be a provider of free software designed to allow potential recruits to view and share crowdsourced locations of Ukrainian military recruiters,” the company said in a statement. said in a report shared with The Hacker News.
When installed on Android devices with Google Play Protect disabled, these apps are designed to deploy operating system-specific commercial malware along with a rogue mapping app called SUNSPINNER.
UNC5812 is also said to be actively involved in influence operations, spreading stories and soliciting content aimed at undermining support for Ukraine’s military mobilization and recruitment efforts.
“Campaign UNC5812 is highly representative of Russia’s emphasis on achieving cognitive impact through its cyber capabilities, and highlights the important role that messaging apps continue to play in the delivery of malware and other cyber dimensions of Russia’s war in Ukraine,” the Google Threat Intelligence Group said. .
Civil Defense, whose Telegram channel and website promoted other legitimate, Ukrainian-language Telegram channels, aims to direct victims to its website, which downloads malware depending on the operating system.
For Windows users, the ZIP archive leads to the deployment of the newly discovered PHP-based Pronsis malware downloader used to distribute SUNSPINNER and the standard PureStealer malware, which is advertised for prices ranging from $150 for a monthly subscription to $699 for a lifetime license.
SUNSPINNER, for its part, shows users a map depicting the alleged location of Ukrainian military recruits from a command and control (C2) server operated by the actor.
For those accessing the website from Android devices, the attack chain deploys a malicious APK file (package name: “com.http.masters“), which embeds a remote access trojan called CraxsRAT.
The website also contains instructions that guide victims on how to disable Google Play Protect and grant it all the requested permissions, allowing the malware to run unhindered.
CraxsRAT is a a well-known family of Android malware which comes with remote device control capabilities and advanced spying features such as keyboard, gesture control, and camera, screen, and call recording.
After the malware was publicly exposed Cyfirma in late August 2023 EVLF, the threat creator behind the project, decided to cease operations, but not before selling its Telegram channel to a Chinese-speaking threat creator.
As of May 2024, EVLF is said to be development stopped about malware due to scammers and hacked versions, but said they are working on a new web version that can be accessed from any machine.
“While the Civil Defense website also advertises support for macOS and iPhone, only Windows and Android payloads were available at the time of analysis,” Google said.
“The website’s FAQ contains a strained justification for hosting the Android app outside of the App Store, suggesting it is an attempt to ‘protect the anonymity and security’ of its users, and directing them to a set of accompanying video instructions.”
