Ukrainian organizations warned of hacking attempts using CredoMap malware and Cobalt Strike beacons

Ukrainian organizations have been subjected to new hacking attempts designed to drop malware and malicious Cobalt Strike beacons onto their networks.

On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) issued two advisories on hacking incidents, suspected to be the work of threat groups APT28 – also known as name of fancy bear — and UAC-0098.

The phishing campaignled by the Russian Advanced Persistent Threat (APT) APT28sees him attempt to distribute a malicious document titled “Nuclear Terrorism, A Very Real Threat”. The distribution is believed to have taken place on June 10.

UAC-0098 hacking attempts also starts with a malicious email. The phishing messages are accompanied by a malicious document, “Imposition of Sanctions.docx”, and its distribution has been described as “persistent” with an original compilation date of June 16.

This document is also distributed via a password-protected archive, fraudulently presented as a communication from the Ukrainian tax office, with the subject: “Notice of non-payment of tax”.

When opened, both documents automatically download an HTML file that launches malicious JavaScript containing an exploit for CVE-2022-30190.

Issued a CVSS severity score of 7.8, CVE-2022-30190 is a Remote Code Execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, appeared for the first time like a zero-day fault in May.

If the target system has not been protected, victims of Fancy Bear attacks will find their systems infected with CredoMap malware.

According at Malwarebytes, CredoMap is an information stealer capable of exfiltrating browser data, cookies, and account credentials. Older variants of the malware have already Already used by APT28 against Ukrainian targets.

The tax document, however, deploys Cobalt Strike tags. Cobalt Strike is a legitimate commercial penetration testing tool which, unfortunately, has been used for malicious purposes by cyber attackers for many years. The tool’s beacon functionality can facilitate remote connections and can be used for shellcode and malware deployment.

Since the start of Russia’s invasion of Ukraine, CERT-UA has focused on warning of cyber threats affecting both Ukrainian businesses and residents. Many campaigns try to take advantage of the situation, either on behalf of the Russian state or simply as ordinary attackers trying to make a profit.

The agency has already warned organizations of ghost writer phishing campaigns, Invisimole activities related to Russian APT Gamaredon, and frequent disinformation patterns targeting residents of Ukraine.

CERT-UA also alerted the Ukrainian media agencies to phishing campaigns, potentially carried out by the Russian hacking group Sandworm, intended to spread the CrescentImp malware.

Previous and related coverage

Do you have any advice? Get in touch securely via WhatsApp | Signal at +447713 025 499, or more at Keybase: charlie0

Source link

Denial of responsibility! is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – The content will be deleted within 24 hours.

Similar Articles

Most Popular