Listen to this Post
A new wave of cyber attacks has been detected, focusing on Ukrainian institutions, including military formations, law enforcement agencies, and local governments, especially those located near Ukraine’s eastern border. These attacks, involving sophisticated malware designed to steal sensitive data, have been revealed by Ukraine’s Computer Emergency Response Team (CERT-UA). As the situation evolves, it becomes clear that these cyber threats pose serious risks to national security and personal privacy.
Overview of the Cyber Attack Campaign
The cyber attacks in question are being executed through phishing emails that contain macro-enabled Microsoft Excel spreadsheets (XLSM). When these files are opened and macros are enabled, two types of malware are activated. The first is a PowerShell script taken from the PSSW100AVB GitHub repository, which facilitates the deployment of a reverse shell, and the second is a previously unidentified piece of malware named GIFTEDCROOK.
These phishing emails are carefully crafted to appear legitimate. They contain file names and email subject lines that are relevant to sensitive topics such as demining, administrative fines, UAV production, and compensation for destroyed property, further increasing the likelihood of the victim opening the attachments. The malware that is unleashed once the document is opened is designed to steal sensitive information such as web browser cookies, browsing history, and authentication data from popular browsers like Google Chrome, Mozilla Firefox, and Microsoft Edge.
CERT-UA has linked the attacks to a threat cluster identified as UAC-0226, although it has not confirmed the involvement of any specific nation. However, there are ongoing speculations regarding the Russian involvement in these types of cyber espionage campaigns. This attack adds to the growing body of evidence that cyber operations are being used as part of a broader geopolitical strategy.
The revelation of these attacks comes on the heels of a similar cyber campaign by the suspected Russian espionage group, UNC5837. This group had previously targeted European government and military organizations with a phishing scheme that utilized signed Remote Desktop Protocol (RDP) file attachments. These attacks, documented by several organizations including CERT-UA, Amazon Web Services, and Microsoft, raised alarms about the increasing sophistication and variety of cyber tactics being used to infiltrate sensitive systems.
What Undercode Says:
The recent cyber threats targeting Ukrainian institutions underscore the increasing sophistication of cybercriminals and state-sponsored hacking groups. The use of phishing emails with cleverly disguised attachments is a common tactic, but the specific deployment of malware like GIFTEDCROOK and reverse shells shows a level of precision that points to highly organized, potentially state-backed cyber operations.
The primary objective of these attacks appears to be espionage. By stealing authentication data, browsing history, and cookies from a range of popular browsers, the attackers can gain deep insights into the operations of their targets. These types of cyber espionage tactics allow attackers to monitor communications, gather intelligence on military and governmental activities, and potentially even steal classified or sensitive information.
While CERT-UA has linked the activities to a specific threat cluster, there is no official confirmation of the involvement of any particular nation-state. However, the sophistication of the malware and the specific targets of the attacks suggest the involvement of a well-resourced actor. Russia’s history of using cyber operations as part of its geopolitical strategy adds weight to suspicions that these attacks may be linked to Russian intelligence operations.
In the broader context of ongoing cyber campaigns, the trend of using legitimate-looking phishing emails and RDP file attachments highlights a shift in cyber tactics. The use of tools like PyRDP and Legion Loader to automate malicious activities such as file exfiltration and clipboard capture adds a layer of complexity to these campaigns. Attackers are not only targeting sensitive data but also leveraging automation to increase the speed and scale of their operations.
What is particularly alarming is the combination of multiple attack vectors. In the case of the phishing campaign, the attackers not only use phishing emails to deliver malware but also exploit vulnerabilities in popular websites and services to spread the malicious payload. This multi-layered approach makes these campaigns harder to detect and neutralize.
Given the political and military tensions in Ukraine and its surrounding regions, these cyberattacks are part of a larger pattern of digital warfare. Governments and organizations around the world must be increasingly vigilant and proactive in securing their networks and systems to defend against these growing cyber threats.
Fact Checker Results:
- Accuracy: The details provided by CERT-UA about the cyber attacks are consistent with other reports on similar tactics used by state-sponsored actors.
- Source Credibility: The attribution of these attacks to UAC-0226 and the mention of the broader geopolitical context aligns with expert assessments from cybersecurity organizations.
- Significance: The increasing use of advanced malware and phishing tactics highlights the need for continuous improvement in cybersecurity practices globally.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





