CERT-UA has issued a critical warning regarding a phishing campaign linked to Russian threat actors, targeting Ukrainian government entities. The campaign, tracked as UAC-0198, has been active since July 2024 and involves attackers impersonating the Security Service of Ukraine (SSU). The phishing emails contain a link to download a file named “Documents.zip,” which, when clicked, triggers a dangerous malware infection. This campaign underscores the ongoing cyber threats facing Ukraine amid heightened geopolitical tensions.
Once the link in the phishing email is clicked, an MSI file is downloaded to the recipient’s computer. When this file is executed, it activates the ANONVNC malware, also known as MESHAGENT, a remote access tool derived from the open-source MeshAgent. This malware allows attackers to gain unauthorized control over the infected systems, enabling them to monitor and manipulate the compromised devices remotely. As of August 12, 2024, CERT-UA reported that over 100 computers within Ukrainian government and local government agencies had been compromised by the malware.
The scope of the attack appears to be expanding, with CERT-UA identifying thousands of malicious EXE and MSI files uploaded to pCloud directories since the beginning of August 2024. These indicators suggest that the campaign could have a broader geographic reach, potentially targeting other sectors or regions. CERT-UA continues to monitor the situation closely, providing updates and additional indicators of compromise to help organizations mitigate the threat.
This latest attack follows a surge in cyber activity by UAC-0006, a financially motivated threat group active since 2013. In May 2024, CERT-UA observed a significant increase in attacks by this group, targeting accountants’ systems in Ukraine to steal credentials and conduct unauthorized fund transfers. UAC-0006 has been distributing the SmokeLoader malware, which acts as a loader for additional malicious payloads, further complicating efforts to protect critical systems. The ongoing cyberattacks highlight the persistent and evolving nature of threats facing Ukraine’s digital infrastructure.
Reference:
