The Laptop Emergency Response Crew of Ukraine (CERT-UA) on Tuesday mentioned it thwarted a cyber assault in opposition to an unnamed important vitality infrastructure facility within the nation.
The intrusion, per the company, began with a phishing e-mail containing a hyperlink to a malicious ZIP archive that prompts the an infection chain.
“Visiting the hyperlink will obtain a ZIP archive containing three JPG photographs (decoys) and a BAT file ‘weblinks.cmd’ to the sufferer’s laptop,” CERT-UA mentioned, attributing it to the Russian risk actor generally known as APT28 (aka BlueDelta, Fancy Bear, Forest Blizzard, or FROZENLAKE).
“When a CMD file is run, a number of decoy net pages will likely be opened, .bat and .vbs information will likely be created, and a VBS file will likely be launched, which in flip will execute the BAT file.”
The subsequent section of the assault includes operating the “whoami” command on the compromised host and exfiltrating the knowledge, alongside downloading the TOR hidden service to route malicious visitors.
Persistence is achieved by way of a scheduled job and distant command execution is applied utilizing cURL by way of a professional service referred to as webhook.web site, which was lately disclosed as utilized by a risk actor generally known as Darkish Pink.
CERT-UA mentioned the assault was finally unsuccessful owing to the truth that entry to Mocky and the Home windows Script Host (wscript.exe) was restricted. It is value noting that APT28 has been linked to the usage of Mocky APIs up to now.
Detect, Reply, Defend: ITDR and SSPM for Full SaaS Safety
Uncover how Identification Risk Detection & Response (ITDR) identifies and mitigates threats with the assistance of SSPM. Discover ways to safe your company SaaS purposes and defend your knowledge, even after a breach.
The disclosure comes amid continued phishing assaults concentrating on Ukraine, a few of which have been noticed leveraging an off-the-shelf malware obfuscation engine named ScruptCrypt to distribute AsyncRAT.
One other cyber assault mounted by GhostWriter (aka UAC-0057 or UNC1151) is alleged to have weaponized a lately disclosed zero-day flaw in WinRAR (CVE-2023-38831, CVSS rating: 7.8) to deploy PicassoLoader and Cobalt Strike, the company mentioned.
