CERT-UA Reports Cyberattacks Targeting Ukrainian State Systems with WRECKSTEEL Malware

Avatar
The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data. The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate

The Computer Emergency Response Team of Ukraine (CERT-UA) has revealed that no less than three cyber attacks were recorded against state administration bodies and critical infrastructure facilities in the country with an aim to steal sensitive data.

The campaign, the agency said, involved the use of compromised email accounts to send phishing messages containing links pointing to legitimate services like DropMeFiles and Google Drive. In some instances, the links are embedded within PDF attachments.

The digital missives sought to induce a false sense of urgency by claiming that a Ukrainian government agency planned to cut salaries, urging the recipient to click on the link to view the list of affected employees.

Visiting these links leads to the download of a Visual Basic Script (VBS) loader that’s designed to fetch and execute a PowerShell script capable of harvesting files matching a specific set of extensions and capturing screenshots.

The activity, attributed to a threat cluster tracked as UAC-0219, is said to have been ongoing since at least fall 2024, with early iterations using a combination of EXE binaries, a VBS stealer, and a legitimate image editor software called IrfanView to realize its goals.

CERT-UA has given the VBS loader and the PowerShell malware the moniker WRECKSTEEL. The attacks have not been attributed to any country.

The development comes as Kaspersky warned that the threat actor known as Head Mare has targeted several Russian entities with a malware known as PhantomPyramid that’s capable of processing instructions issued by the operator over a command-and-control (C2) server, as well as downloading and running additional payloads like MeshAgent.

Russian energy companies, industrial enterprises, and suppliers and developers of electronic components organizations have also been at the receiving end of phishing attacks mounted by a threat actor codenamed Unicorn that dropped a VBS trojan designed to siphon files and images from infected hosts.

Late last month, SEQRITE Labs revealed that academic, governmental, aerospace, and defense-related networks in Russia are being targeted by weaponized decoy documents, likely sent via phishing emails, as part of a campaign dubbed Operation HollowQuill. The attacks are believed to have started around December 2024.

The activity makes use of social engineering ploys, disguising malware-laced PDFs as research invitations and government communiqués to entice unsuspecting users into triggering the attack chain.

“The threat entity delivers a malicious RAR file which contains a .NET malware dropper, which further drops a Golang-based shellcode loader along with the legitimate OneDrive application and a decoy-based PDF with a final Cobalt Strike payload,” security researcher Subhajeet Singha said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

 The Hacker News 

Total
0
Shares
Previous Post

Critical Flaw in Apache Parquet Allows Remote Attackers to Execute Arbitrary Code

Next Post

OPSEC Failure Exposes Coquettte’s Malware Campaigns on Bulletproof Hosting Servers

Related Posts

ToyMaker Uses LAGTOY to Sell Access to CACTUS Ransomware Gangs for Double Extortion

Cybersecurity researchers have detailed the activities of an initial access broker (IAB) dubbed ToyMaker that has been observed handing over access to double extortion ransomware gangs like CACTUS. The IAB has been assessed with medium confidence to be a financially motivated threat actor, scanning for vulnerable systems and deploying a custom malware called LAGTOY (aka HOLERUN). "LAGTOY can be
Avatar
Read More

GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that's based on Apache Airflow. "This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which
Avatar
Read More