The emergency response team in Ukraine (CERT-UA) has disclosed A new set of cyberating attacks aimed at Ukrainian institutions with malicious programs involved in the information program.
Activities are aimed at military entities, law enforcement agencies and local self -government bodies, especially those located near the eastern border of Ukraine, the agency reported.
The attacks include the distribution of phishing sheets containing Macrosoft Excel Macrosoft (XLSM), which, when opening two parts of malicious programs, the PowerShell scenario taken from the party scenario Pssw100avb (“” PowerShell scenarios with 100% Bypas Avips “) repository GITHUB, which opens the return shell, and previously understood the theft, dubbed the name.
“Files and the topics via email refers to the relevant and tangible questions such as deficit, administrative fines, blade production and compensation for the destroyed property,” the Certain-UA said.
“These electronic tables contain a malicious code, which, opening the document and incorporating macros, automatically turns into malicious software and is performed without the user’s knowledge.”
Written in C/C ++, Gaudledcrock facilitates the theft of sensitive data from web browsers such as Google Chrome, Microsoft Edge and Mozilla Firefox, such as cookies, viewing and authentication data.
E -mail messages are sent from compromised accounts, often using an email interface to give the messages to the legitimacy and deceive the future victims to open documents. Cert-Ua links the activity with the UAC-0226 threat cluster, although it was not connected with a particular country.
The development comes when the suspected Russian-NEXUS espionic actor, called UNC5837, was connected with a phishing company aimed at European Government and Military Organizations in October 2024.
“The company used, signed .rdp files to install a remote desktop (RDP) from the victim machines,” Google Group Group (Gtig) (Gtig) – Note.
“Unlike the typical RDP attacks focused on interactive classes, this company creatively uses resources redirect (displaying the victims of the striker) and deleted applications (submitting applications to the attacker to the victims).”
It is worth noting that the company RDP was formerly documented CERT-UA, Amazon Web Services and Microsoft in October 2024, and after Trend Micro in December. Cert-Ua tracks activity called UAC-0215, and the rest attribute it to the Russian state, supported by the state, the hacking group APT29.
The attack is also characteristic of the likely use of an open source tool called PYRDP to automate harmful activities, such as file excursion and exchange -shaped, including potentially sensitive data such as passwords.
“The company probably allowed the attackers to read the victims, steal the files, record the clipboard data (including passwords) and get the victim’s variable conditions,” GTIG said on Monday. “The main goal of the UNC5837 is spying and theft of files.”
In recent months, phishing companies have also been observed using fake capes and Cloudflare Turkey for distribution Legion loader (AKA Satacom), which then serves as a pipeline to reset the malicious browser -based chromium called “Save To Google Drive”.
“The initial useful load is distributed by the infection that begins when the victim is looking for a certain document and enlisted on a malicious website,” the NetSkope threat laboratory – Note. “The downloaded document contains a captcha, which, by clicking the victim, redirects it to the Cloudflare Turnstile Captcha, and then eventually on the notification page.”
Page offers users to allow notifications on the site, after which the victims are redirected to the second Cloudflare Turkstile CAPTCHA, which after completion is redirected to the page that provides Clickfix style instructions To download the document they are looking for.
In reality, Attack opens the way to deliver and execute the MSI installation file responsible for launching Legion Loader, which in turn performs a number of steps to download and launch the Powershell time scenarios, eventually adding the Rogue browser extension to the browser.
The PowerShell script also stops the browser session for the enabled extension, includes the developer mode and restores the browser. The ultimate goal is to seize a wide range of sensitive information and highlight it.
