The country’s security and defense forces, as well as defense companies, are the targets of a fresh wave of cyberattacks, according to the Computer Emergency Response Team of Ukraine (CERT-UA).
UAC-0185 (also known as UNC4221), a threat actor associated with Russia, has been responsible for the phishing assaults from at least 2022.
“The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs,” CERT-UA said. “The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards.”
A malicious URL is placed in the email messages, urging recipients to click on it in order to read “important information” pertaining to their conference attendance.
However, doing so really causes a Windows shortcut file to be downloaded, which when opened, is intended to launch an HTML application. This HTML application then contains JavaScript code that runs PowerShell instructions that can load payloads for the following stage.
A decoy file and a ZIP archive containing an executable file, another HTML application, and a batch script are included. The HTML Application file is run by the batch script in the last stage, which also launches the MeshAgent malware on the host, giving the attackers remote control over the infected system.
According to CERT-UA, the threat actor’s main objective is to steal login credentials for Ukraine’s military systems, including DELTA, Teneta, and Kropyva, as well as messaging apps like Signal, Telegram, and WhatsApp.
“The hackers have also launched a number of cyber attacks to get unauthorized access to the PCs of defence companies’ workers and representatives of the security and defense forces,” the agency said.
According to Google-owned Mandiant, which exposed UNC4221 at the SentinelLabs LABScon security conference earlier this September, the threat actor is known for collecting “battlefield-relevant data through the use of Android malware, phishing operations masquerading as Ukrainian military applications, and operations targeting popular messaging platforms like Telegram and WhatsApp.”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream formerly known as CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, The Mainstream formerly known as CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, The Mainstream formerly known as CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK
