Russian-backed threat group UAC has targeted Ukraine in another wave of attacks, phishing-style scams that play on citizens’ fears for their beleaguered country, according to research by Malwarebytes.
“The Help Ukraine lure, to our knowledge, has never been publicly documented before,” said Malwarebytes, adding that it had detected seven instances of that theme being used in recent weeks.
Other dirty tricks employed by UAC that preyed upon desires to help the war-torn country included offers for “job vacancies” and another email purporting to be about a “humanitarian catastrophe.” Email addresses targeted included government accounts ending in gov.ua.
One of the texts used in the phishing campaign falsely claims to offer a detailed breakdown of Ukrainian casualties by region – an obvious lure given the difficulty of accurate reporting during wartime.
The bogus email reads: “To counter the propaganda of the Russian government, the State Department of Statistics at the Office of the President of Ukraine prepared a consolidated report on dead citizens, citizens left without a home [or] who lost their jobs, the number of destroyed homes [and] businesses. This report shows all the data broken down by regions of Ukraine. Familiarize yourself and your colleagues with the real state of affairs. Glory to Ukraine!”
Victims who click on the link in the email to access the non-existent data then have an instance of Cobalt Strike malware loaded onto their machines, which become “fully compromised” as a result.
Cobalt Strike is a malware tool that is used both legitimately by paid penetration testers, or ‘white-hat hackers,’ and cybercriminals. In this case, Malwarebytes believes UAC used a leaked version to carry out the attacks on Ukraine.
“Based on recent attacks reported by CERT UA, as well as the similarities [to previously detected instances such as the Go Elephant phishing campaign in March], we can attribute this attack with high confidence to UAC,” said Malwarebytes, which worked in conjunction with Ukraine’s cyber authorities to arrive at the result.
More from Cybernews:
Subscribe to our newsletter