The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new set of cyber attacks that it said were aimed at defense companies in the country as well as its security and defense forces.
The phishing attacks have been attributed to a Russia-linked threat actor called UAC-0185 (aka UNC4221), which has been active since at least 2022.
“The phishing emails mimicked official messages from the Ukrainian League of Industrialists and Entrepreneurs,” CERT-UA said. “The emails advertised a conference held on December 5th in Kyiv, aimed at aligning the products of domestic defense industry companies with NATO standards.”
The email messages come embedded with a malicious URL that urges the recipients to click on it to view “important information” related to their participation in the conference.
But in reality, doing so results in the download of a Windows shortcut file that, upon opening, is designed to execute an HTML Application, which, in turn, contains JavaScript code responsible for running PowerShell commands that are capable of loading next-stage payloads.
This includes a decoy file and a ZIP archive that contains a batch script, another HTML Application, and an executable file. In the final step, the batch script is launched to run the HTML Application file, which, then, runs the MeshAgent binary on the host, granting the attackers remote control over the compromised system.
CERT-UA said the threat actor is primarily focused on stealing credentials associated with messaging apps like Signal, Telegram, and WhatsApp, and Ukraine’s military systems such as DELTA, Teneta, and Kropyva.
“The hackers have also launched a number of cyber attacks to get unauthorized access to the PCs of defence companies’ workers and representatives of the security and defence forces,” the agency said.
According to Google-owned Mandiant, which exposed UNC4221 at the SentinelLabs LABScon security conference earlier this September, the threat actor is known for collecting “battlefield-relevant data through the use of Android malware, phishing operations masquerading as Ukrainian military applications, and operations targeting popular messaging platforms like Telegram and WhatsApp.”