The Computer Emergency Response Team of Ukraine (CERT-UA) has identified a series of cyber attacks targeting Ukrainian institutions, particularly military formations, law enforcement agencies, and local self-government bodies near the eastern border. These attacks involve the dissemination of phishing emails containing macro-enabled Microsoft Excel spreadsheets (XLSM). When recipients open these spreadsheets and enable macros, two types of malware are deployed:
1. PowerShell Script: Sourced from the Powershell Scripts With 100% AV Bypass GitHub repository, this script establishes a reverse shell, allowing attackers to remotely control the compromised system.
2. GIFTEDCROOK Stealer: A newly identified information-stealing malware written in C/C++. GIFTEDCROOK extracts sensitive data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox, including cookies, browsing history, and authentication credentials.
The phishing emails are crafted to appear legitimate, often sent from compromised accounts via web-based email clients. They use subject lines and file names referencing pertinent issues like demining operations, administrative fines, UAV production, and compensation for destroyed property to entice recipients into opening the malicious attachments.
CERT-UA has attributed these activities to a threat actor designated as UAC-0226. While the specific nation-state affiliation of UAC-0226 remains undetermined, the tactics, techniques, and procedures (TTPs) employed bear similarities to those used by other advanced persistent threat (APT) groups.
This development coincides with reports of a suspected Russian-linked espionage group, UNC5837, conducting phishing campaigns against European government and military organizations. In October 2024, UNC5837 utilized signed .RDP file attachments to establish Remote Desktop Protocol connections from victims’ machines. Unlike typical RDP attacks that focus on interactive sessions, this campaign leveraged resource redirection and RemoteApps to access and exfiltrate sensitive data.
The UNC5837 campaign was previously documented by CERT-UA, Amazon Web Services, and Microsoft in October 2024, and later by Trend Micro in December. CERT-UA tracks this activity under the identifier UAC-0215, while other cybersecurity entities have linked it to the Russian state-sponsored hacking group APT29.
Notably, the RDP campaign likely employed an open-source tool called PyRDP to automate malicious activities such as file exfiltration and clipboard capture, including potentially sensitive data like passwords. The primary objective of UNC5837 appears to be espionage and data theft.
In recent months, phishing campaigns have also been observed using fake CAPTCHAs and Cloudflare Turnstile to distribute Legion Loader (also known as Satacom). This loader serves as a conduit to drop a malicious Chromium-based browser extension named Save to Google Drive, further highlighting the evolving tactics of cyber adversaries.
