Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Trending 3 months ago 30

Ukrainian organizations person been subjected to caller hacking attempts tailored to driblet malware and malicious Cobalt Strike beacons onto their networks.

On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published 2 advisories connected the hacking incidents, suspected of being the enactment of menace groups APT28 -- besides known arsenic Fancy Bear -- and UAC-0098.

The phishing campaign, conducted by Russian precocious persistent menace (APT) APT28, sees it attempting to dispersed a malicious papers titled, "Nuclear Terrorism A Very Real Threat" Distribution is suspected of being carried retired connected June 10.

UAC-0098's hacking attempts also begins with a malicious email. The phishing messages person a malware papers attached, "Imposition of penalties.docx," and its organisation has been described arsenic "persistent" with an archetypal compilation day of June 16.

This papers is besides dispersed done a password-protected archive, fraudulently passed disconnected arsenic connection from Ukraine's taxation office, with the taxable line: "Notice of non-payment of tax."

When opened, some documents automatically download an HTML record that initiates malicious JavaScript codification containing an exploit for CVE-2022-30190.

Issued a CVSS severity people of 7.8, CVE-2022-30190 is simply a distant codification execution (RCE) vulnerability successful the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited successful the wild, first emerged arsenic a zero-day flaw successful May.

If the people strategy has not been protected, victims of Fancy Bear's attacks volition find their systems infected with the CredoMap malware.

According to Malwarebytes, CredoMap is an accusation stealer capable to exfiltrate browser data, cookies, and relationship credentials. Older variants of the malware person antecedently been used by APT28 against Ukrainian targets.

The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is simply a legitimate, commercialized penetration investigating instrumentality that has, unfortunately, been abused for malicious purposes by cyberattackers for galore years. The tool's beacon functionality tin facilitate distant connections and tin beryllium utilized for the deployment of shellcode and malware.

Since Russia's penetration of Ukraine began, CERT-UA has pivoted its absorption to informing against cyberthreats impacting some Ukrainian businesses and residents. Many campaigns are trying to instrumentality vantage of the situation, whether connected behalf of the Russian authorities oregon conscionable arsenic run-of-the-mill attackers trying to marque a profit.

The bureau has antecedently warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and predominant misinformation schemes targeting Ukraine's residents.

CERT-UA has besides alerted Ukrainian media agencies to phishing campaigns, perchance conducted by the Russian Sandworm hacking group, intended to dispersed the CrescentImp malware.

Previous and related sum

Have a tip? Get successful interaction securely via WhatsApp | Signal astatine +447713 025 499, oregon implicit astatine Keybase: charlie0