/>
X

Ukrainian organizations warned of hacking attempts using CredoMap malware, Cobalt Strike beacons

Russian hackers continue their attempts to break into the systems of Ukrainian organisations, this time with phishing and fake emails.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
getty-hacker-hands-on-a-keyboard.jpg
Image: Getty

Ukrainian organizations have been subjected to new hacking attempts tailored to drop malware and malicious Cobalt Strike beacons onto their networks.

On June 20, the Computer Emergency Response Team for Ukraine (CERT-UA) published two advisories on the hacking incidents, suspected of being the work of threat groups APT28 -- also known as Fancy Bear -- and UAC-0098.

The phishing campaign, conducted by Russian advanced persistent threat (APT) APT28, sees it attempting to spread a malicious document titled, "Nuclear Terrorism A Very Real Threat". Distribution is suspected of being carried out on June 10.

SEE: Ransomware attacks: This is the data that cyber criminals really want to steal

UAC-0098's hacking attempts also begins with a malicious email. The phishing messages have a malware document attached, "Imposition of penalties.docx," and its distribution has been described as "persistent" with an original compilation date of June 16.

This document is also spread through a password-protected archive, fraudulently passed off as communication from Ukraine's tax office, with the subject line: "Notice of non-payment of tax."

When opened, both documents automatically download an HTML file that initiates malicious JavaScript code containing an exploit for CVE-2022-30190.

Issued a CVSS severity score of 7.8, CVE-2022-30190 is a remote code execution (RCE) vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT). The vulnerability, patched but exploited in the wild, first emerged as a zero-day flaw in May.

If the target system has not been protected, victims of Fancy Bear's attacks will find their systems infected with the CredoMap malware.

According to Malwarebytes, CredoMap is an information stealer able to exfiltrate browser data, cookies, and account credentials. Older variants of the malware have previously been used by APT28 against Ukrainian targets.

The tax-related doc, however, deploys Cobalt Strike beacons. Cobalt Strike is a legitimate, commercial penetration-testing tool that has, unfortunately, been abused for malicious purposes by cyber attackers for many years. The tool's beacon functionality can facilitate remote connections and can be used for the deployment of shellcode and malware.

Since Russia's invasion of Ukraine began, CERT-UA has pivoted its focus to warning against cyber threats impacting both Ukrainian businesses and residents. Many campaigns are trying to take advantage of the situation, whether on behalf of the Russian state or just as run-of-the-mill attackers trying to make a profit.

SEE: Cloud computing security: Five things you are probably doing wrong

The agency has previously warned organizations of Ghostwriter phishing campaigns, Invisimole activities tied to the Russian APT Gamaredon, and frequent misinformation schemes targeting Ukraine's residents.

CERT-UA has also alerted Ukrainian media agencies to phishing campaigns, potentially conducted by the Russian Sandworm hacking group, intended to spread the CrescentImp malware.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0


Related

The 5 best pressure cookers of 2022
replace-this-image.jpg

The 5 best pressure cookers of 2022

Kitchen & Household
The 6 best air fryers of 2022
replace-this-image.jpg

The 6 best air fryers of 2022

Kitchen & Household
The 5 best camping gear and tools of 2022
best-camping-gear-img-0082.jpg

The 5 best camping gear and tools of 2022

Yard & Outdoors