Over 100 Ukrainian computers infected with backdoor malware, researchers say

Avatar

Ukrainian researchers have discovered a phishing campaign targeting local state agencies with remote-access malware. 

To gain access to the victim’s system, the hackers disguise the malicious emails as official requests from Ukraine’s security service (SBU). The emails contain a .zip file that, once opened, launches malware the researchers are calling ANONVNC.

The backdoor malware is based on open-source remote management code called MeshAgent, according to Ukraine’s computer emergency response team (CERT-UA). 

CERT-UA tracks the threat actor behind this campaign as UAC-0198 but hasn’t provided any details about its origins.

Since July 2024, the group has infected more than 100 computers with the malware, including those used by state agencies, CERT-UA said. Researchers suggested that the geography of the attacks “could be broader.”

The report didn’t specify the goal of the campaign or if the hackers caused any damage to their victims’ computers. CERT-UA stated that it “has taken urgent measures” to reduce the probability of further attacks on systems infected with ANONVNC.

According to an analysis by the cybersecurity firm MalwareBytes, MeshAgent can infiltrate systems in different ways, most often as a result of email campaigns containing malicious macros. MeshAgent is associated with another remote-management tool, MeshCentral.

Earlier in July, Ukrainian researchers reported discovering an information-stealing campaign targeting readers of Ukraine’s most popular news website, Ukr.net. In this campaign, the threat actor tracked as UAC-0102 created a fake version of the website to collect users’ personal information and infect their systems with malware.

In another campaign in July, a suspected Belarusian state-sponsored hacker group, GhostWriter, targeted Ukrainian organizations and local government agencies with PicassoLoader malware. Researchers believe the group may be interested in Ukraine’s financial and economic indicators, taxation, as well as the reform of local self-government bodies.

MalwareNation-stateNews BriefsNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

Suspected ‘hostile state’ behind hack of Poland’s anti-doping agency and leak of athletes’ data

Next Post

Russia is pushing disinformation about Kursk operation, Ukrainian officials say

Related Posts

North Korean Hackers Pull Off $308M Bitcoin Heist from Crypto Firm DMM Bitcoin

Japanese and U.S. authorities have formerly attributed the theft of cryptocurrency worth $308 million from cryptocurrency company DMM Bitcoin in May 2024 to North Korean cyber actors. "The theft is affiliated with TraderTraitor threat activity, which is also tracked as Jade Sleet, UNC4899, and Slow Pisces," the agencies said. "TraderTraitor activity is often characterized by targeted social
Avatar
Read More

Italy Fines OpenAI €15 Million for ChatGPT GDPR Data Privacy Violations

Italy's data protection authority has fined ChatGPT maker OpenAI a fine of €15 million ($15.66 million) over how the generative artificial intelligence application handles personal data. The fine comes nearly a year after the Garante found that ChatGPT processed users' information to train its service in violation of the European Union's General Data Protection Regulation (GDPR). The authority
Avatar
Read More