Ukrainian authorities have warned of a mass phishing assault aimed toward stealing delicate private knowledge of residents.
The attackers, tracked below the identifier UAC-0218, ship phishing hyperlinks purporting to be payments or fee particulars however really results in the obtain of knowledge stealing malware.
As soon as downloaded, this script searches the sufferer’s machine for paperwork in varied codecs and sends them to the attackers’ servers. This permits the risk actor to doubtlessly steal delicate private and monetary knowledge for theft or blackmail.
Based mostly on the area title registration knowledge, this marketing campaign has been carried out since no less than August 2024.
The Laptop Emergency Response Workforce of Ukraine (CERT-UA) has not offered any additional particulars on the identification of the attackers or whether or not they have been focusing on specific varieties of individuals.
Huge Information Exfiltration Operation
CERT-UA mentioned the phishing emails comprise the topic line “account particulars.” These emails have a hyperlink, allegedly to an eDisk file, for downloading RAR archives of the identical title.
These archives comprise two password-protected decoy paperwork, named “Договір20102024.doc” and “Рахунок20102024.xlsx,” in addition to the VBS script “Password.vbe.”
When clicked on, the VBS script runs program code that allows the recursive seek for various kinds of recordsdata throughout 5 directories from the %USERPROFILE% folder – “xls”, “xlsx”, “doc”, “docx”, “pdf”, “txt”, “csv”, “rtf”, “ods”, “odt”, “eml”, “pst”, “rar”, “zip”.
Any such recordsdata found below 10MB in measurement are then exfiltrated to the attackers’ server utilizing the PUT technique of the HTTP protocol. This technique is used to create a brand new useful resource or exchange an present useful resource on an online server.
The CERT-UA’s evaluation additionally detected an executable file on victims’ programs, which incorporates a one-line PowerShell command.
This file implements an analogous performance for recursive search within the %USERPROFILE% listing of recordsdata by the record of extensions (‘*.xls*’,’*doc*’,’*.pdf’,’*.eml’,’*.sqlite’,’*.pst’,’*.txt’) and their subsequent switch to the administration server utilizing the POST technique of the HTTP protocol.
The Ukrainian authorities company highlighted options of the attackers’ administration infrastructure, resembling using the area title registrar HostZealot, in addition to the implementation of an online server (receiver) utilizing Python.
In August 2024, CERT-UA warned that greater than 100 Ukrainian authorities computer systems have been compromised following a mass phishing marketing campaign.
The attackers impersonated the Safety Service of Ukraine within the emails to lure targets into clicking on a malicious hyperlink that results in ANONVNC malware being downloaded onto the machine.
