100 Government Computers Infected with Malware by Hackers Posing as Ukraine’s Security Service

Published on August 13, 2024
Written by:
Lore Apostol
Lore Apostol
Infosec Writer & Editor

Attackers posing as the “Security Service of Ukraine” (SSU) targeted the country's government agencies with a phishing campaign aiming to distribute malware, as announced on Monday by the Computer Emergency Response Team of Ukraine (CERT-UA) at SSSCIP.

CERT-UA said the threat actors used a fake SSU documents archive as a lure and compromised more than 100 computers, mostly belonging to Ukraine's central and local self-government bodies.

The emails contained a link for downloading an archive file called "Documents.zip" that actually downloaded a Microsoft Software Installer (MSI) file. The MSI file launches the malware, which the developer named AnonVNC, tracked by the identifier UAC-0198.

AnonVNC contains a configuration file with a format identical to the MeshAgent program's source code available on GitHub. 

Virus Propagation in Ukraine by CERT-UA
Image Source: CERT-UA

MeshCentral Agent is a legitimate remote assistance tool that connects to the MeshCentral server for remote device management. This makes it attractive to threat actors, who can abuse it for malicious purposes. For instance, a backdoor based on Mesh Central was discovered by Malwarebytes.

While its capabilities were not described by CERT-UA, it appears to provide unauthorized remote access to compromised machines via a backdoor.

CERT-UA said related cyber attacks have been carried out since at least July 2024, adding that starting August 1, 2024, more than 1,000 EXE and MSI files were found only in the directories of the pCloud file service.

In related news, a scientific research institution in Ukraine was targeted by a spear phishing campaign in July. The attackers, tracked as UAC-0063, used a Microsoft Word attachment with a malicious macro as a lure and deployed the HATVIBE backdoor and CHERRYSPY malware via a compromised employee email.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: