Ukraine Warns of Mass Phishing Campaign Targeting Citizens Data


Ukrainian authorities have warned of a mass phishing attack aimed at stealing sensitive personal data of citizens.

The attackers, tracked under the identifier UAC-0218, send phishing links purporting to be bills or payment details but actually leads to the download of data stealing malware.

Once downloaded, this script searches the victim’s device for documents in various formats and sends them to the attackers’ servers. This enables the threat actor to potentially steal sensitive personal and financial data for theft or blackmail.

Based on the domain name registration data, this campaign has been carried out since at least August 2024.

The Computer Emergency Response Team of Ukraine (CERT-UA) has not provided any further details on the identity of the attackers or whether they were targeting particular types of people.

Massive Data Exfiltration Operation

CERT-UA said the phishing emails contain the subject line “account details.” These emails have a link, allegedly to an eDisk file, for downloading RAR archives of the same name.

These archives contain two password-protected decoy documents, named “Договір20102024.doc” and “Рахунок20102024.xlsx,” as well as the VBS script “Password.vbe.”

When clicked on, the VBS script runs program code that enables the recursive search for different types of files across five directories from the %USERPROFILE% folder – “xls”, “xlsx”, “doc”, “docx”, “pdf”, “txt”, “csv”, “rtf”, “ods”, “odt”, “eml”, “pst”, “rar”, “zip”.

Any such files discovered under 10MB in size are then exfiltrated to the attackers’ server using the PUT method of the HTTP protocol. This method is used to create a new resource or replace an existing resource on a web server.

The CERT-UA’s analysis also detected an executable file on victims’ systems, which contains a one-line PowerShell command.

This file implements a similar functionality for recursive search in the %USERPROFILE% directory of files by the list of extensions (‘*.xls*’,’*doc*’,’*.pdf’,’*.eml’,’*.sqlite’,’*.pst’,’*.txt’) and their subsequent transfer to the management server using the POST method of the HTTP protocol.

The Ukrainian government agency highlighted features of the attackers’ management infrastructure, such as the use of the domain name registrar HostZealot, as well as the implementation of a web server (receiver) using Python.

In August 2024, CERT-UA warned that more than 100 Ukrainian government computers were compromised following a mass phishing campaign.

The attackers impersonated the Security Service of Ukraine in the emails to lure targets into clicking on a malicious link that leads to ANONVNC malware being downloaded onto the device.



Source link