Summary:
Ukraine’s Computer Emergency Response (CERT-UA) is warning of a new phishing campaign distributing emails on the subject of ‘prisoners of war’ to infect end users with malware. In this case, these emails contain photos of alleged prisoners of war from the Kursk region, urging recipients to click on a link designed to download a malicious Zip archive. Within this archive is a CHM file, that contains an HTML file containing JavaScript code, which in turn leads the to launch of an obfuscated PowerShell script. For its part, this PowerShell script is designed to download components of a known spyware called SPECTR, as well as a new malware dubbed FIRMACHAGENT to retrieve and send data stolen by SPECTR to a remote management server. The script is also responsible for setting up scheduled tasks, allowing the actors to maintain persistent access to victim environments.

Security Officer Comments:
As of writing, the scope of this campaign and victim targeting remains unclear. Based on the tooling (SPECTR) employed in this campaign, CERT-UA has attributed this campaign to a threat cluster known as UAC-0020, aka Vermin, a group assessed to be linked to security agencies of the Luhansk People's Republic (LPR). Back in June, CERT-UA released an advisory warning that Vermin was targeting defense forces in the country with SPECTR, a tool that is designed to harvest a wide range of data including files, screenshots, credentials, and data from various instant messaging apps like Element, Signal, Skype, and Telegram. The end goal of this latest campaign is similar, where actors are looking for data that might be of interest to the Russian Kremlin.

Suggested Corrections:
To reduce the attack surface of these campaigns, CERT-UA recommends limiting user accounts with administrator privileges and applying appropriate policies to prevent users from launching files with the .CHM extension or powershell.exe in general.

IOCs can be found here.

Link(s):
https://cert.gov.ua/article/6280422
https://thehackernews.com/2024/08/cert-ua-warns-of-new-vermin-linked.html