Cybercriminals Use War as a Lure for Malware Propagation

Diving into details

• They are using the war theme to gain remote access, perform network reconnaissance, pilfer sensitive information, disable security software, and make space for further payloads. 
• The first campaign targets Ukrainian manufacturers with a ZIP attachment. It purportedly contains a survey that recipients are supposed to fill out to aid their customers in developing backup plans. Nevertheless, the attachment deploys Agent Tesla. 
• The other malspam campaign poses as a South Korean healthcare firm that manufactures in-vitro diagnostic systems. The recipients are sent a message stating that all flights and shipments have been put on hold. It contains a macro-laced Excel document that abuses CVE-2017-11882, a Microsoft Equation Editor vulnerability, to deploy Remcos RAT. 

Who are the targets?

• Around 83% of the phishing emails delivering Agent Tesla have originated from the Netherlands and targeted South Korea, the Czech Republic, the U.K, the U.S., and Germany. 
• In the second campaign, 89% of the emails originated from German IP addresses, while targets are based in India, the U.S., Ireland, Vietnam, Russia, Australia, and South Africa. 
• While the recent attacks were not particularly aimed at the Ukrainian population or infrastructure, researchers anticipate that the global tension will lead to further targeted attacks. These attacks could disrupt emergency responses and aid efforts. 

Crypto-donations scam surge

• There has been an increase in the number of scammers impersonating legitimate charities, asking for donations to support Ukraine.
• The perpetrators are impersonating the Ukrainian government, UNICEF, the Ukraine Crisis Relief Fund, and the Act for Peace. 
• Some subject lines include - HELP UKRAINE stop the war!; Ukraine Humanitarian Donation; Stand with the people of Ukraine. Now accepting cryptocurrency donations. Bitcoin, Ethereum, and USDT; and Subject: Help Ukraine, among others. 

The bottom line