Hackers target Ukraine’s potential conscripts with MeduzaStealer malware

Avatar

Hackers have targeted the devices of Ukraine’s draft-aged men with MeduzaStealer malware spread through Telegram, researchers have found.

MeduzaStealer was previously used by Russia-linked threat actors to obtain login credentials, computer information, browsing history and data from password managers. Last year, a threat actor known as UAC-0050 deployed the malware against targets in Ukraine and Poland.

According to a new report from Ukraine’s computer emergency response team (CERT-UA), the unidentified hackers recently distributed MeduzaStealer through a Telegram account disguised as a technical support bot for users of the new Ukrainian government app called Reserve+.

Launched earlier this year, the app allows Ukrainian men liable for military service to update their personal data online instead of going to local enlistment offices. Given the sensitivity of the data the app collects, it has become an attractive target for hackers.

In the campaign analyzed by CERT-UA, the hackers posed as Reserve+ customer support and asked users to upload a ZIP archive containing alleged instructions on how to correctly update the personal data required by Ukraine’s military officials.

Once opened, the malicious file infected targeted devices with MeduzaStealer, designed to pilfer documents with certain extensions before self-deleting.

CERT-UA’s report did not mention how many Ukrainians have fallen victim to the attack or how the hackers might use the data they obtain. As of July, over 4.5 million Ukrainians used Reserve+ to update their personal data.

Earlier in August, the Ukrainian Defense Ministry reported the discovery of three fake Reserve+ apps, likely designed to collect the personal data of Ukrainian conscripts and later use it for new attacks or information and psychological operations.

Russia-linked hackers have previously abused popular mobile apps and messengers, including Signal and Telegram, to target Ukraine’s military personnel.

In September, for example, the hackers used Signal to infect devices used by Ukrainian soldiers with malware delivered through files disguised as military software. According to CERT-UA, the goal of those attacks was to steal credentials for special military systems and identify the soldiers’ locations.

CybercrimeGovernmentNewsNews BriefsPrivacy
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Russia’s case against REvil hackers proceeds as government recommends 6.5-year sentence

Next Post

Hacker allegedly behind attacks on FBI, Airbus, National Public Data arrested in Brazil

Related Posts

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the
Avatar
Read More