Report on Ukraine government attack campaign

216.73.216.6

Report on Ukraine government attack campaign

· Published 23/08/2024 08:56 · Modified 23/08/2024 09:02

Essential information

Published: 23/08/2024 08:56
Modified: 23/08/2024 09:02
Tags: 2024-08-23 data theft exfiltration firmachagent government malware powershell spectr ukraine
Related entities: 33 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware, 1 others

Description

Ukraine's government cybersecurity incident response team, CERT-UA, obtained information about the distribution of emails themed around prisoners of war, containing links to download an archive named 'spysok_kursk.zip'. This archive contained a CHM file with JavaScript code that launched an obfuscated PowerShell script designed to install the SPECTR malware and the new FIRMACHAGENT program. These components enabled data theft, document exfiltration, screenshot capturing, and browser data theft, while scheduled tasks managed the malware components. Reducing the attack surface by limiting user privileges and implementing application whitelisting policies can mitigate this threat.

External references

https://otx.alienvault.com/pulse/66c84eca6298cd5a4bb0ec77