Ukrainian and Polish cyber defenders are warning against a slew of phishing websites that mimic official sites, in particular a page that mimics the Ministry of Foreign Affairs of Ukraine.
A hacking group likely comprised of Russian speakers uses the pages to lure users into downloading software putatively for “scanning infected PCs on viruses.”
The Computer Emergency Response Team of Ukraine tracks the threat group as UAC-0114, aka Winter Vivern. The downloaded software executes several PowerShell scripts, one of which scans for files including Microsoft Office documents, PDFs, log files and Remote Desktop Connection Manager configuration. The malware also takes screenshots, exfiltrates data and establishes persistence.
The threat group has copied web pages of the Security Service of Ukraine and the Polish Police. Poland, a key Ukrainian ally and staging ground for military aid, has contended with an increase in hostile Russian activity in cyberspace following Russia’s February 2022 invasion of Ukraine.