The Cyber Incident Response Operations Center of the State Cyber Protection Centre of Ukraine has prepared a detailed analysis of UAC-0114 campaign targeted at public institutions of Ukraine and the Republic of Poland.
UAC-0114 (known as WinterVivern) is a group of unidentified persons (probably involving russian-speaking members) whose activity is targeted at European public institutions and organizations.
The recent campaign was targeted at Ukrainian and Polish governmental organizations via the fake web pages that imitated the legitimate web resources of the Ministry of Foreign Affairs of Ukraine and the Central Cybercrime Bureau of Poland.
The tactics, techniques and procedures applied by the offenders are well known: they use e-mail subjects connected with malware scans to gain primary access. Analysis of the activities of the latest campaigns confirms that phishing remains the major attack technique. However, the enemy now uses phishing link instead of Microsoft Excel Documents with malicious XLM scripts used in the previous campaigns associated with the group. The link goes to a fake web page with the malware embedded in it.
According to the statement by CERT-UA, the same technique was applied during the cyberattack waged in June 2022 by means of a phishing link to a fraud web page that imitated the web interface of the mail service of the Ministry of Defense of Ukraine.
One of the malicious files named “Detection_of_malicious_software.exe” (APERETIF) used during that cyberattack contains a specific path “C:\Users\user_1\source\repos\Aperitivchick\Release\SystemProtector.pdb”, which leads to an assumption with high confidence that the group is affiliated with russian-speaking members.
Based on the compilation date, APERETIF malware started to be used not earlier than on May 25, 2022.
The exfiltration function that had been used before was connected with stealing detailed information on the infected system, but it was not detected during the latest campaign.
The new analyzed versions of PowerShell play loads contain instructions on screen shot exfiltration as well as enumerated files with specific extensions together with their content from Desktop directory.
Owing to persistence at the infected hosts, additional play loads can be downloaded, where necessary.
The detailed analysis of the activity that presents the potential infection chain is considered in the report.
By topic «Security»
More news