Russian hackers use Cobalt Strike and CredoMap malware against Ukraine

Stat-backed attackers hit Ukraine with phishing campaigns spreading malware

Phishing email campaigns pushing malwareNuclear attack-themed emails push malware and exploits Follina bug

Ukrainian organizations warned about hacking attempts using CredoMap malware and Cobalt Strike beacons. Russian hackers continue to attempt to break into the systems of Ukrainian companies and government entities.[1] These newest discoveries show phishing attacks using fake emails and spreading malicious programs widely used by other infections.[2] The Ukrainian Computer Emergency Response Team CERT reported that hacking groups exploit the Follina code execution flaw in these new phishing campaigns to install malware.[3]

The team published two advisories on the particular detected incidents linked to the APT28 hacker group, also known as Fancy Bear or UAC-0098.[4] These attackers are closely related to the Russian government and have been trying to infect various systems of Ukrainian entities and allies. These new campaigns try to spread malware via a malicious document named Nuclear Terrorism A Very Real Threat. These emails were sent out on June 10th.

Threat actors selected the particular topic for their phishing emails to lure recipients into opening the email and loading the malicious file on the machine. This process leverages the fear of the Ukrainians due to the potential nuclear attack. Russia invaded Ukraine in February, and this ongoing conflict lead to an increased amount of malicious attacks from both sides because various hacker groups try to uncover the eyes of many Russians blinded by propaganda in local media. However, Russian hacker groups attempt to disrupt major processes, obtain data from government-linked entities and use that to their advantage in the conflict.

The hacking attempts begin with a malicious email

These APT28 phishing campaigns begin with a malicious email. The particular message had malware document attacks. The Imposition of penalties.docx was distributed around since the compilation date of June 16. The document was also spread through a password-protected archive that was passed off as the communication messages from the tax office of Ukraine. These emails had the subject line Notice of non-payment of tax.

Once opened, such documents trigger the automatic download of an HTML file that initiates JavaScript code with the exploit for the CVE-2022-30190 flaw.[5] The flaw gets a severity score of 7.8 and is a remote code execution vulnerability in Microsoft Windows Support Diagnostic Tool. This Follina flaw has been patched, but still gets exploited in the wild. It first emerged as the zero-day vulnerability back in May.

Downloading and launching malware

The documents used in these campaigns exploit the Follina flaw and inject machines with CredoMap malware. This virus is malware classified as a password-stealing trojan. Information stealer capabilities have been reported to be included in the malware used in particular campaigns. This virus aims to steal data stored in Chrome, Edge, and other web browsers. Account credentials and cookies can be used by attackers later on.

Malicious programs then exfiltrate stolen details using the IMAP email protocol, so all details are sent to the command and control server that is, apparently hosted on an abandoned Dubai-based site. Cybersecurity researchers discovered these campaigns potentially allow attackers to access the stolen data.

A different campaign identified by researchers lists the treat actor group exploiting the same Fpllina vulnerability to infect machines with the Cobalt Strike beacon. Actors used Docx files and payloads fetched from remote resources. These are campaigns using the Ukraine tax notice as a lure. CERT-UA alerted that media agencies should be aware of these phishing campaigns since Russian hacking groups attempt to spread other info-stealing malware to such sources particularly.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions