Over 100 Ukrainian computers infected with backdoor malware, researchers say

Avatar

Ukrainian researchers have discovered a phishing campaign targeting local state agencies with remote-access malware. 

To gain access to the victim’s system, the hackers disguise the malicious emails as official requests from Ukraine’s security service (SBU). The emails contain a .zip file that, once opened, launches malware the researchers are calling ANONVNC.

The backdoor malware is based on open-source remote management code called MeshAgent, according to Ukraine’s computer emergency response team (CERT-UA). 

CERT-UA tracks the threat actor behind this campaign as UAC-0198 but hasn’t provided any details about its origins.

Since July 2024, the group has infected more than 100 computers with the malware, including those used by state agencies, CERT-UA said. Researchers suggested that the geography of the attacks “could be broader.”

The report didn’t specify the goal of the campaign or if the hackers caused any damage to their victims’ computers. CERT-UA stated that it “has taken urgent measures” to reduce the probability of further attacks on systems infected with ANONVNC.

According to an analysis by the cybersecurity firm MalwareBytes, MeshAgent can infiltrate systems in different ways, most often as a result of email campaigns containing malicious macros. MeshAgent is associated with another remote-management tool, MeshCentral.

Earlier in July, Ukrainian researchers reported discovering an information-stealing campaign targeting readers of Ukraine’s most popular news website, Ukr.net. In this campaign, the threat actor tracked as UAC-0102 created a fake version of the website to collect users’ personal information and infect their systems with malware.

In another campaign in July, a suspected Belarusian state-sponsored hacker group, GhostWriter, targeted Ukrainian organizations and local government agencies with PicassoLoader malware. Researchers believe the group may be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.

MalwareNation-stateNews BriefsNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Suspected ‘hostile state’ behind hack of Poland’s anti-doping agency and leak of athletes’ data

Next Post

Russia is pushing disinformation about Kursk operation, Ukrainian officials say

Related Posts

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily. The enforcement is expected to come into effect starting October 1, 2024. "Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the
Avatar
Read More