Ukrainian cyber defenders have detected an ongoing cyberespionage campaign that has been active since mid-2022, compromising multiple computers.
The campaign primarily targets Microsoft Windows machines used by government agencies and media organizations, according to Volodymyr Kondrashov, a spokesperson for Ukraine’s State Service of Special Communications and Information Protection.
The attackers employ phishing emails and text messages to distribute malicious applications and files, such as HTML applications, executables, file archives, and Window shortcuts, with the aim of tricking victims into downloading the malware, referred to as LonePage by CERT-UA.
The LonePage malware, identified as a PowerShell script, establishes communication with a command-and-control server and proceeds to download a file called upgrade.txt, which executes the commands of the script and exfiltrates data via HTTP.
Additionally, the malicious code downloads an info stealer named ThumbChop, designed to target Chrome and Opera browsers, while the attackers may also deploy the Tor browser or Secure Shell to facilitate unauthorized remote access to compromised computers.
The cyber attackers responsible for the campaign are not limited to ThumbChop and LonePage; they also deploy other malware variants like SeaGlow and OverJam, as reported by CERT-UA. To mitigate the risk, the agency advises restricting the execution of specific executables such as script.exe, cscript.exe, powershell.exe, and mshta.exe.
ThumbChop and LonePage are part of a growing list of new info stealer malware variants identified by the agency. The State Service of Special Communications and Information Protection had investigated 2,194 cyber incidents in 2022, with phishing attacks decreasing in number, although the agency emphasizes the continued risk posed by well-crafted phishing emails and social engineering tactics.
