A compromised email account from the Ukrainian Ministry of Defense was discovered sending phishing emails and instant messages to users of the “DELTA” situational awareness program to infect systems with thieving malware information.

The campaign was highlighted in a report published today by AU-CERT (Computer Emergency Response Team of Ukraine), which warned Ukrainian military personnel about the malware attack.

DELTA is an intelligence collection and management system created by Ukraine with the help of its allies to help the military track the movements of enemy forces.

The system provides comprehensive real-time information with high-level integration from multiple sources on a digital map that can be run on any electronic device, from a laptop to a smartphone.

Digital certificates are used to sign software code and authenticate servers, telling security products running on the operating system that the application has not been tampered with and that the server operator is who they claim to be. be.

Infection process

As part of this campaign, threat actors used emails or instant messages with fake warnings that users should update “Delta” certificates to continue using the system securely.

The malicious email contains a PDF document purporting to contain certificate installation instructions, which includes links to download a ZIP archive named “certificates_rootCA.zip”.

Example of email used in the campaign
Example of email used in the campaign (CERT-UA)
Landing page from which victims download the ZIP file
Landing page from which victims download the ZIP file (CERT-UA)

The archive contains a digitally signed executable named “certificates_rootCA.exe”, which upon launch creates several DLL files on the victim’s system and launches “ais.exe”, which simulates the certificate installation process.

This step convinces the victim that the process was legitimate and reduces the chances that she will realize that she has been raped.

Certificate Installation Dialog
Certificate Installation Dialog (CERT-UA)

EXE files and DLLs are protected by VMProtect, legitimate software used to wrap files in standalone virtualized machines, encrypt their contents, and make AV scanning or detection impossible.

The removed DLLs, “FileInfo.dll” and “procsys.dll”, are malware, identified by CERT-UA as “FateGrab” and “StealDeal”.

FateGrab is an FTP file stealer targeting documents and emails of the following file formats: ‘.txt’, ‘.rtf’, ‘.xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘.doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email.’

StealDeal is an information-stealing malware that can, among other things, steal Internet browsing data and passwords stored on the web browser.

CERT-UA was unable to link the above operation to any known threat actors.


Source link