Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware – The Hacker News

A threat cluster linked to the Russian nation-state actor tracked as Sandworm has continued its targeting of Ukraine with commodity malware by masquerading as telecom providers, new findings show.
Recorded Future said it discovered new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT.
The attacks are said to be an expansion of the same campaign that previously distributed DCRat (or DarkCrystal RAT) using phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.
Sandworm is a destructive Russian threat group that’s best known for carrying out attacks such as the 2015 and 2016 targeting of Ukrainian electrical grid and 2017’s NotPetya attacks. It’s confirmed to be Unit 74455 of Russia’s GRU military intelligence agency.
The adversarial collective, also known as Voodoo Bear, sought to damage high-voltage electrical substations, computers and networking equipment for the third time in Ukraine earlier this April through a new variant of a piece of malware known as Industroyer.
Russia’s invasion of Ukraine has also had the group unleash numerous other attacks, including leveraging the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to breach media entities in the Eastern European nation.
In addition, it was uncovered as the mastermind behind a new modular botnet called Cyclops Blink that enslaved internet-connected firewall devices and routers from WatchGuard and ASUS.
The U.S. government, for its part, has announced up to $10 million in rewards for information on six hackers associated with the APT group for participating in malicious cyber activities against critical infrastructure in the country.
“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” Recorded Future said.
The attacks entail the fraudulent domains hosting a web page purportedly about “Odesa Regional Military Administration,” while an encoded ISO image payload is stealthily deployed via a technique referred to as HTML smuggling.
HTML smuggling, as the name goes, is an evasive malware delivery technique that leverages legitimate HTML and JavaScript features to distribute malware and get around conventional security controls.
Recorded Future also said it identified points of similarities with another HTML dropper attachment put to use by the APT29 threat actor in a campaign aimed at Western diplomatic missions between May and June 2022.
“It is currently unknown why there is a similarity overlap between the two threat actor groups’ use of this ISO delivery functionality,” the researchers said. “One hypothesis is that UAC-0113 took inspiration from or directly copied this functionality from open source reporting on APT29, or that the same open source resource was used as a codebase.”
Embedded within the ISO file, which was created on August 5, 2022, are three files, including an LNK file that tricks the victim into activating the infection sequence, resulting in the deployment of both Colibri loader and Warzone RAT to the target machine.
The execution of the LNK file also launches an innocuous decoy document – an application for Ukrainian citizens to request for monetary compensation and fuel discounts – in an attempt to conceal the malicious operations.
Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.

source

Note that any programming tips and code writing requires some knowledge of computer programming. Please, be careful if you do not know what you are doing…

Post expires at 7:47am on Thursday March 23rd, 2023

Leave a Reply

Next Post

Monitor Git To Protect Source Code And Avoid IP Theft - Security Boulevard

Fri Sep 23 , 2022
The Home of the Security Bloggers NetworkHome » Security Bloggers Network » Monitor Git To Protect Source Code And Avoid IP Theft 8 in 10 security and business leaders report that reputation has or would be impacted by an Insider Risk event involving loss/theft of sensitive information. But the risk goes […]
%d bloggers like this: