Hackers attack Ukrainian government agencies with phishing emails disguised as court summonses
The CERT-UA national cyber incident response team has detected a new wave of targeted attacks against state authorities, structures of the Defense Forces and enterprises of the defense-industrial complex. As informs The State Intelligence Service, criminals carry out phishing mailings, disguising them as official documents, in particular, as “subpoenas”.
“The attacks are carried out by the UAC-0099 group, which has significantly updated its toolkit and started using the new malware Matchboil, Matchwok and Dragstare. The attackers use a multi-stage attack chain aimed at stealing data and gaining remote control of systems. The attack starts by sending phishing emails, often disguised as official documents, such as “subpoenas””, – says the message of the State Special Communications Service.
The emails contain a link to a legitimate file exchange where the user downloads a ZIP archive containing a malicious HTA file. Next, a VBScript is run that creates two files: one with the coded data and one with the PowerShell code. A task is then run that decodes the data and generates a Matchboil executable that is pinned to the system.
“The main targets of the group are the state authorities of Ukraine, units of the Defense Forces and enterprises working in the interests of the defense-industrial complex. CERT-UA’s research revealed three new samples of malicious software, which indicates the evolution of the group’s tactics, techniques and procedures.” – is emphasized in the message.
CERT-UA specialists advise strengthening protection against such threats: monitor incoming e-mail, train staff to recognize phishing, limit the execution of scripts, use modern tools for monitoring (EDR) and detection of threats (IDS/IPS), as well as regularly update software.
