Russian state-sponsored hacking group APT28 (also known as Fancy Bear) is targeting various government bodies in Ukraine with malicious emails, posing as instructions on how to upgrade Windows for cyberattack defense, according to the Computer Emergency Response Team of Ukraine (CERT-UA).

The attackers created @outlook.com email addresses using the real employee names they acquired in the preparatory stages of the attack. Instead of legitimate instructions on upgrading Windows systems, the emails advise the recipients to run a PowerShell command, which downloads a PowerShell script on the computer. The script then simulates a Windows updating process while downloading a second PowerShell payload in the background.

The second-stage payload is an information harvesting tool that abuses the ‘tasklist’ and ‘systeminfo’ commands to gather data and sends it to a Mocky service API via an HTTP request. Mocky is a legitimate application that APT28 abused for data exfiltration.

Instructions sent to targets (CERT-UA)

CERT-UA recommends system administrators restrict PowerShell and monitor network traffic

CERT-UA recommends that system administrators monitor network traffic for connections to the Mocky service API and restrict the ability to launch PowerShell on critical computers.

This comes as Google’s Threat Analysis Group reports that 60% of all phishing emails targeting Ukraine in Q1 2023 originated from Russian threat actors, highlighting APT28’s contribution to malicious activity. Earlier in the month, US and UK intelligence services and Cisco warned about APT28 actively exploiting a zero-day flaw affecting the company’s routers to deploy a malware named ‘Jaguar Tooth’ to collect intelligence from US and EU-based targets.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com

Source: bleepingcomputer.com

Source Link

Russian state-sponsored hacking group APT28 (also known as Fancy Bear) is targeting various government bodies in Ukraine with malicious emails, posing as instructions on how to upgrade Windows for cyberattack defense, according to the Computer Emergency Response Team of Ukraine (CERT-UA).

The attackers created @outlook.com email addresses using the real employee names they acquired in the preparatory stages of the attack. Instead of legitimate instructions on upgrading Windows systems, the emails advise the recipients to run a PowerShell command, which downloads a PowerShell script on the computer. The script then simulates a Windows updating process while downloading a second PowerShell payload in the background.

The second-stage payload is an information harvesting tool that abuses the ‘tasklist’ and ‘systeminfo’ commands to gather data and sends it to a Mocky service API via an HTTP request. Mocky is a legitimate application that APT28 abused for data exfiltration.

Instructions sent to targets (CERT-UA)

CERT-UA recommends system administrators restrict PowerShell and monitor network traffic

CERT-UA recommends that system administrators monitor network traffic for connections to the Mocky service API and restrict the ability to launch PowerShell on critical computers.

This comes as Google’s Threat Analysis Group reports that 60% of all phishing emails targeting Ukraine in Q1 2023 originated from Russian threat actors, highlighting APT28’s contribution to malicious activity. Earlier in the month, US and UK intelligence services and Cisco warned about APT28 actively exploiting a zero-day flaw affecting the company’s routers to deploy a malware named ‘Jaguar Tooth’ to collect intelligence from US and EU-based targets.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: info@blackhatethicalhacking.com

Source: bleepingcomputer.com

Source Link