The Computer system Crisis Response Group of Ukraine (CERT-UA) on Tuesday explained it thwarted a cyber attack from an unnamed critical energy infrastructure facility in the region.
The intrusion, for every the company, commenced with a phishing email that contains a connection to a destructive ZIP archive that activates the infection chain.
“Checking out the link will down load a ZIP archive made up of a few JPG pictures (decoys) and a BAT file ‘weblinks.cmd’ to the victim’s personal computer,” CERT-UA said, attributing it to the Russian menace actor acknowledged as APT28 (aka BlueDelta, Extravagant Bear, Forest Blizzard, or FROZENLAKE).
“When a CMD file is operate, numerous decoy web webpages will be opened, .bat and .vbs files will be established, and a VBS file will be introduced, which in convert will execute the BAT file.”
The future stage of the attack entails operating the “whoami” command on the compromised host and exfiltrating the information and facts, along with downloading the TOR concealed services to route malicious traffic.
Persistence is reached by implies of a scheduled process and distant command execution is executed employing cURL by way of a legit provider named webhook.web site, which was lately disclosed as employed by a threat actor acknowledged as Dark Pink.
CERT-UA stated the attack was finally unsuccessful owing to the actuality that access to Mocky and the Windows Script Host (wscript.exe) was restricted. It is well worth noting that APT28 has been connected to the use of Mocky APIs in the past.
Future WEBINARDetect, Answer, Secure: ITDR and SSPM for Entire SaaS Security
Learn how Identification Menace Detection & Reaction (ITDR) identifies and mitigates threats with the aid of SSPM. Discover how to secure your company SaaS programs and safeguard your facts, even immediately after a breach.
Supercharge Your Expertise
The disclosure comes amid continued phishing attacks targeting Ukraine, some of which have been observed leveraging an off-the-shelf malware obfuscation motor named ScruptCrypt to distribute AsyncRAT.
Yet another cyber assault mounted by GhostWriter (aka UAC-0057 or UNC1151) is mentioned to have weaponized a just lately disclosed zero-working day flaw in WinRAR (CVE-2023-38831, CVSS rating: 7.8) to deploy PicassoLoader and Cobalt Strike, the agency reported.
Observed this report exciting? Observe us on Twitter and LinkedIn to go through extra special articles we put up.
Some parts of this article are sourced from:
thehackernews.com