The Laptop Emergency Response Group of Ukraine (CERT-UA) has warned of a brand new set of cyber assaults that it mentioned have been aimed toward protection firms within the nation in addition to its safety and protection forces.
The phishing assaults have been attributed to a Russia-linked menace actor referred to as UAC-0185 (aka UNC4221), which has been energetic since at the very least 2022.
“The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs,” CERT-UA mentioned. “The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards.”
The e-mail messages come embedded with a malicious URL that urges the recipients to click on on it to view “important information” associated to their participation within the convention.
However in actuality, doing so leads to the obtain of a Home windows shortcut file that, upon opening, is designed to execute an HTML Utility, which, in flip, comprises JavaScript code chargeable for working PowerShell instructions which might be able to loading next-stage payloads.
This features a decoy file and a ZIP archive that comprises a batch script, one other HTML Utility, and an executable file. Within the last step, the batch script is launched to run the HTML Utility file, which, then, runs the MeshAgent binary on the host, granting the attackers distant management over the compromised system.
CERT-UA mentioned the menace actor is primarily targeted on stealing credentials related to messaging apps like Sign, Telegram, and WhatsApp, and Ukraine’s army techniques reminiscent of DELTA, Teneta, and Kropyva.
“The hackers have also launched a number of cyber attacks to get unauthorized access to the PCs of defence companies’ workers and representatives of the security and defence forces,” the company mentioned.
Based on Google-owned Mandiant, which uncovered UNC4221 on the SentinelLabs LABScon safety convention earlier this September, the menace actor is identified for gathering “battlefield-relevant data through the use of Android malware, phishing operations masquerading as Ukrainian military applications, and operations targeting popular messaging platforms like Telegram and WhatsApp.”
