Ukraine Alerts to Phishing Campaign Impersonating Security Service to Distribute Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a phishing campaign posing as the Security Service of Ukraine, aiming to infect government computers with malware that enables remote desktop access.

This activity, tracked under the identifier UAC-0198, has already compromised over 100 computers, including systems within government agencies, since July 2024.

The attack involves sending emails that deliver a ZIP archive containing an MSI installer file. When opened, this file deploys ANONVNC, a malware based on the open-source remote management tool MeshAgent, which allows attackers to gain unauthorized access to infected systems without detection.

via GIPHY

The campaign comes amid other cyber threats identified by CERT-UA, including phishing attacks by the group UAC-0102 that use HTML attachments to mimic the UKR.NET login page, stealing user credentials.

Additionally, there has been a rise in the distribution of PicassoLoader malware aimed at deploying Cobalt Strike Beacon on compromised systems, attributed to the threat actor UAC-0057.

CERT-UA has indicated that UAC-0057 might be targeting project office specialists and their contractors among local government employees in Ukraine.

:rotating_light: Over 100 Ukrainian government computers have been compromised in a mass phishing attack, warns CERT-UA.

Attackers, posing as the Security Service of Ukraine, tricked targets into downloading ANONVNC malware, granting unauthorized access.#CyberSecurity #Ukraine pic.twitter.com/XDvS6GhYyr

— Cyber Poe (@cyberpoe_) August 13, 2024

With these ongoing cyber threats, organizations must remain vigilant and enhance their security measures to protect sensitive information and infrastructure from phishing and malware attacks.