A new phishing campaign has been discovered targeting Ukrainian government computers and posing as the Security Service of Ukraine.
The campaign was exposed by the Computer Emergency Response Team of Ukraine (CERT-UA), in an alert that revealed that if successful, the attack could spread malicious software enabling remote desktop access.
Since July 2024, more than 100 computers have been infected by the campaign.
ANONVNC malware
CERT-UA has labeled the activity as UAC-0198, with the malware used by the attackers being a modification of the MeshAgent remote management system. The attackers send an email that appears to be from the Security Service of Ukraine and contains a ZIP file with an MSI installer loaded with the malware called ANONVNC.
CERT-UA also warned that an additional threat actor, dubbed UAC-0057, was distributing PicassoLoader malware via phishing attacks, ultimately leading to the deployment of the Cobalt Strike Beacon software.
In a statement about the attacks, CERT-UA warned: “It is reasonable to assume that the objects of interest of UAC-0057 may be both specialists of project offices and their ‘contractors’ from among the employees of the relevant local governments of Ukraine.”
Another threat actor, UAC-0102, has been running a campaign using phishing emails with HTML attachments that resemble the UKR.NET login page. However, the entered credentials are stolen by the attackers.
Ukraine has been increasingly targeted by cyberattacks since the Russian invasion in February 2022, with several attempts to disable key infrastructure, such as mobile networks And internet providers prove to be successful.
Via TheHackerNews