Cyber Attacks Attacking Ukrainian State Agencies in Espionage Operations
The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state agencies in the country as part of an espionage campaign.
That intrusion sets, associated with a threat actor tracked by authorities as UAC-0063 since 2021, took advantage of phishing baits to spread various malicious tools on infected systems. The origins of the hacking crew are currently unknown.
In the chain of attacks described by the agency, the email targeted an unnamed ministry and claimed to be from the Tajikistan Embassy in Ukraine. It is suspected that the message was sent from a previously compromised mailbox.
The email is attached with a Microsoft Word document which, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware.
These include keyloggers (LOGPIE), Python-based backdoors capable of executing commands sent from remote servers (CHERRYSPY), and tools focused on stripping files with specific extensions (STILLARCH or DownEx).
It should be noted that DownEx was recently documented by Bitdefender being used by unidentified actors in highly targeted attacks aimed at government entities in Kazakhstan and Afghanistan.
“Additional studies of the infrastructure and related files made it possible to conclude that among the objects of interest of the group were organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, (and) India,” CERT-UA said.
The findings show that some threat actors are still employed macro-based malware though Microsoft disables the feature by default in Office files downloaded from the web.
That said, Microsoft’s restrictions have led some attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques such as HTML sneaking.
Zero Trust + Deception: Learn How to Outsmart Attackers!
Discover how Fraud can detect advanced threats, stop lateral moves, and improve your Zero Trust strategy. Join our insightful webinar!
Enterprise security firm Proofpoint says it has observed several early access brokers (IABs) – actors who infiltrate prime targets and then sell that access to other cybercriminals for profit – using PDF and OneNote files starting in December 2022.
“Experiments with and regular rotation to new payload delivery techniques by traced threat actors, especially IAB, are very different from the attack chains observed before 2022 and mark the new normal of threat activity,” the company said. said.
“The most experienced cybercriminal actors no longer rely on one or a few techniques, but instead frequently develop and iterate new TTPs. The rapid pace of change for many threat actors means they have the time, ability, and understanding of the threat landscape to develop and execute techniques new quickly.”
