Fake Military Apps Try to Steal Login and GPS Data from the Ukrainian Army
Published on September 6, 2024
Published on September 6, 2024
100 Government Computers Infected with Malware by Hackers Posing as Ukraine’s Security Service
Published on August 13, 2024
- A spear-phishing campaign targeted Ukrainian government bodies with malware.
- Attackers impersonated the Security Service of Ukraine, pretending to send harmless documents.
- Deployed malware permitted covert access to infiltrated systems.
Attackers posing as the “Security Service of Ukraine” (SSU) targeted the country's government agencies with a phishing campaign aiming to distribute malware, as announced on Monday by the Computer Emergency Response Team of Ukraine (CERT-UA) at SSSCIP.
CERT-UA said the threat actors used a fake SSU documents archive as a lure and compromised more than 100 computers, mostly belonging to Ukraine's central and local self-government bodies.
The emails contained a link for downloading an archive file called "Documents.zip" that actually downloaded a Microsoft Software Installer (MSI) file. The MSI file launches the malware, which the developer named AnonVNC, tracked by the identifier UAC-0198.
AnonVNC contains a configuration file with a format identical to the MeshAgent program's source code available on GitHub.
MeshCentral Agent is a legitimate remote assistance tool that connects to the MeshCentral server for remote device management. This makes it attractive to threat actors, who can abuse it for malicious purposes. For instance, a backdoor based on Mesh Central was discovered by Malwarebytes.
While its capabilities were not described by CERT-UA, it appears to provide unauthorized remote access to compromised machines via a backdoor.
CERT-UA said related cyber attacks have been carried out since at least July 2024, adding that starting August 1, 2024, more than 1,000 EXE and MSI files were found only in the directories of the pCloud file service.
In related news, a scientific research institution in Ukraine was targeted by a spear phishing campaign in July. The attackers, tracked as UAC-0063, used a Microsoft Word attachment with a malicious macro as a lure and deployed the HATVIBE backdoor and CHERRYSPY malware via a compromised employee email.