Phishing Targets Ukrainian Battlefield Awareness Tool UsersDigital Map Users Lured Into Installing Malware That Looked for Office Files
The Ukrainian military agency that weeks ago unveiled a battlefield situational awareness tool has notified the national cybersecurity response team of a phishing campaign whose operators intend to steal files and siphon internet browser data.
The Ukrainian Computer Emergency Response Team said the campaign targeted users of the situational awareness tool, which the Center for Innovations and Development of Defense Technologies within the Ministry of Defense dubbed Delta at its October public unveiling. Delta is a digital map accessible on multiple devices including a smartphone. The center notified CERT-UA about the campaign on Saturday, and CERT-UA issued its warning on Sunday.
The phishing hook, which came from a compromised Ministry of Defense email address, told recipients they must update Delta certificates in order to maintain access.
The Ukrainian government says Delta provides a comprehensive digital overview of the battlefield by integrating data from different sources, including intelligence and sensors. The government announced Delta during a NATO event held in Virginia.
Ukraine continues to fight Russia troops after the Kremlin invaded Ukraine in February (see: Major Takeaways: Cyber Operations During Russia-Ukraine War).
Details of the Campaign
The phishing email included a PDF attachment supposedly containing further instructions, including an embedded link that, when clicked, led to a phishing website that mimicked the legitimate Delta logon website but in actuality belonged to the
delta-storages.com domain. Data kept by the Internet Corporation for Assigned Names and Numbers show an unknown party registered the domain on Thursday.
The executable contained in the malicious zip file that users were urged to download from the site was also compiled and digitally signed on Thursday, CERT-UA says. In order to make the infection process appear legitimate, it ran an application simulating the certificate installation process on a Windows desktop.
The malware launched two malicious applications. One, which CERT-UA dubbed "FateGrab," looked for files associated with documents, such as Microsoft Office file extensions, and files such as stored PowerShell commands or script files. The threat actor's exfiltration method was FTP.
The other application, designated as "StealDeal," stole internet browser data.
Whoever encoded the malware - CERT-UA designates the threat actor as UAC-0142 without making further attribution - protected it with VMProtect. Finnish cybersecurity firm F-Secure describes VMProtect as "a Russian-made security envelope and file compressor utility that makes reverse engineering of protected software quite difficult."
Phishing ranks high among the digital attack vectors used against Ukraine, said State Service for Special Communications and Information Protection of Ukraine Chairman Yuriy Shchyhol in a June interview with Liga.tech. Phishing accounts for about two-thirds of all cyberattack entry points, and government officials and ordinary citizens alike have difficulty in recognizing phishing emails, Shchyhol said.