CERT-UA Warns of Phishing Attacks Targeting Ukraine's Defense and Security Force
Summary:
Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning about a new wave of phishing attacks targeting the country’s defense sector, including both defense companies and security forces. These attacks are attributed to UAC-0185, a Russia-linked cyber actor active since at least 2022. According to CERT-UA, the phishing emails are disguised as official communications from the Ukrainian League of Industrialists and Entrepreneurs, inviting recipients to a conference in Kyiv on December 5th. The event is promoted as an opportunity to align the products of domestic defense companies with NATO standards.
The emails contain a malicious URL designed to trick recipients into clicking for more information about the conference. If the recipient clicks the link, they are prompted to download a Windows shortcut file. Once opened, this file executes an HTML application embedded with JavaScript code that runs PowerShell commands. These commands facilitate the download of additional malicious payloads. One PowerShell command opens a decoy file (a USPP letter), while another downloads a ZIP archive containing a batch script, an HTML application, and an executable. The batch script executes the HTML application, which in turn launches the malicious executable (MeshAgent binary), granting the attacker remote control over the compromised system.
Security Officer Comments:
According to CERT-UA, the primary goal of UAC-0185 is to steal credentials for messaging platforms such as Signal, Telegram, and WhatsApp, as well as for military systems like DELTA, TENETA, and Kropyva. The latest wave of attacks, however, has been more targeted and limited in scope. These attacks focus on gaining unauthorized remote access to the computers of employees within Ukraine’s defense-industrial companies, as well as members of the Ukrainian Defense Forces. To achieve this, the attackers are using specialized remote access tools, including MESHAGENT and ULTRAVNC.
Suggested Corrections:
Organizations should implement advanced email filtering and phishing detection to block malicious URLs and attachments. Multi-factor authentication should be enforced on critical systems, including messaging platforms and military applications. Endpoint protection tools, including anti-malware and endpoint detection and response systems, should be used to detect and block unauthorized remote access tools like MESHAGENT and ULTRAVNC. Regular security awareness training and simulated phishing campaigns can also help employees recognize such threats.
IOCs:
https://cert.gov.ua/article/6281632
Link(s):
https://thehackernews.com/2024/12/cert-ua-warns-of-phishing-attacks.html