Register now for better personalized quote!

Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Jun, 22, 2022 Hi-network.com
Image: Getty

Ukrainian organizations have been subjected to new hacking attempts tailored to drop malware and malicious Cobalt Strike beacons onto their networks.

On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published two advisories on the hacking incidents, suspected of being the work of threat groups APT28 -- also known as Fancy Bear -- and UAC-0098.

Security

Cyber security 101: Protect your privacy from hackers, spies, and the government

Simple steps can make the difference between losing your online accounts or maintaining what is now a precious commodity: Your privacy.

Read now

The phishing campaign, conducted by Russian advanced persistent threat (APT) APT28, sees it attempting to spread a malicious document titled, "Nuclear Terrorism A Very Real Threat". Distribution is suspected of being carried out on June 10.

SEE:Ransomware attacks: This is the data that cyber criminals really want to steal

UAC-0098's hacking attempts also begins with a malicious email. The phishing messages have a malware document attached, "Imposition of penalties.docx," and its distribution has been described as "persistent" with an original compilation date of June 16.

This document is also spread through a password-protected archive, fraudulently passed off as communication from Ukraine's tax office, with the subject line: "Notice of non-payment of tax."

When opened, both documents automatically download an HTML file that initiates malicious JavaScript code containing an exploit for CVE-2022-30190.

Issued a CVSS severity score of 7.8, CVE-2022-30190 is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, first emerged as a zero-day flaw in May.

If the target system has not been protected, victims of Fancy Bear's attacks will find their systems infected with the CredoMap malware.

According to Malwarebytes, CredoMap is an information stealer able to exfiltrate browser data, cookies, and account credentials. Older variants of the malware have previously been used by APT28 against Ukrainian targets.

The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is a legitimate, commercial penetration-testing tool that has, unfortunately, been abused for malicious purposes by cyber attackers for many years. The tool's beacon functionality can facilitate remote connections and can be used for the deployment of shellcode and malware.

Since Russia's invasion of Ukraine began, CERT-UA has pivoted its focus to warning against cyber threats impacting both Ukrainian businesses and residents. Many campaigns are trying to take advantage of the situation, whether on behalf of the Russian state or just as run-of-the-mill attackers trying to make a profit.

SEE: Cloud computing security: Five things you are probably doing wrong

The agency has previously warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and frequent misinformation schemes targeting Ukraine's residents.

CERT-UA has also alerted Ukrainian media agencies to phishing campaigns, potentially conducted by the Russian Sandworm hacking group, intended to spread the CrescentImp malware.

Previous and related coverage

  • Ukraine security agencies warn of Ghostwriter threat activity, phishing campaigns
  • Ukraine warns of InvisiMole attacks tied to state-sponsored Russian hackers
  • Cyberattacks and misinformation activity against Ukraine continues say security researchers

Have a tip?Get in touch securely via WhatsApp Signal at +447713 025 499, or over at Keybase: charlie0


Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.