Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware
Reading Time: 2 minutes

Russian Sandworm hackers impersonate Ukrainian telecoms to distribute malware. A new infrastructure belonging to UAC-0113 that mimics operators like Datagroup and EuroTransTelecom to deliver payloads such as Colibri loader and Warzone RAT was discovered by Recorded Future.

These attacks are an extension to the earlier campaign that distributed DCRat (or DarkCrystal RAT) via phishing emails with legal aid-themed lures against providers of telecommunications in Ukraine.

Sandworm is the cause of the 2015 and 2016 attack that targeted the Ukrainian electrical grid. The Russian GRU intelligence agency was confirmed as being responsible for this.

A hacker group known as Voodoo Bear aimed to damage high-voltage electricity, computers and networking equipment in Ukraine through the new malware, Industroyer.

Many other attacks have happened, including the use of the Follina vulnerability (CVE-2022-30190) in Microsoft Windows Support Diagnostic Tool to breach media entities in Eastern Europe.Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware-1A botnet called Cyclops Blink was discovered and it has been enslaving security devices. Rewards from up to $10 million are being given to hackers for information on APT group 6 and these individuals’ activities against critical infrastructure in the country.

The attacks facilitate the deployment of an encoded ISO payload via a deceptive website that is posing as a military administration board.

One way malicious code is delivered is through the use of HTML and JavaScript features within a genuine looking document. Once the code is executed, anti-virus software will not be able to detect it.Russian Sandworm Hackers Impersonate Ukrainian Telecoms to Distribute Malware-2Recorded Future identified another attack by the APT29 hack that was similar to their current campaign aimed at Western diplomatic missions.

The ISO file, created on August 5th of 2022, has embedded within it a LNK file which when activated loads the Colibri loader and Warzone RAT.

There is a decoy document that launches in order to hide the malicious operations. The execution of the LNK file launches this decoy document.

Related Articles:
How Uber security was breached This Month by Lapsus$ Gang?
Emotet Botnet Is Distributing Quantum and BlackCat Ransomware
Free Decryptor for LockerGoga Ransomware Available