Russian Sandworm hackers impersonate Ukrainian telecoms to distribute malware. A new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT was discovered by Recorded Future.
These attacks are an extension to the earlier campaign that distributed DCRat (or DarkCrystal RAT) via phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.
Sandworm is the cause of the 2015 and 2016 attack that targeted the Ukrainian electrical grid. The Russian GRU intelligence agency was confirmed as being responsible for this.
A hacker group known as Voodoo Bear aimed to damage high-voltage electricity, computers and networking equipment in Ukraine through the new malware, Industroyer.
Many other attacks have happened, including the use of the Follina vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool to breach media entities in Eastern Europe.A botnet called Cyclops Blink was discovered and it has been enslaving security devices. Rewards from up to $10 million are being given to hackers for information on APT group 6 and these individuals’ activities against critical infrastructure in the country.
The attacks facilitate the deployment of an encoded ISO payload via a deceptive website that is posing as a military administration board.
The ISO file, created on August 5th of 2022, has embedded within it a LNK file which when activated loads the Colibri loader and Warzone RAT.
There is a decoy document that launches in order to hide the malicious operations. The execution of the LNK file launches this decoy document.