COMMUNICATIONS AND PR OFFICER

Hackers used an email account belonging to the Ukrainian Ministry of Defense for launching a phishing campaign against DELTA. On December 18th, CERT-UA (Computer Emergency Response Team of Ukraine) warned that the DELTA military system was targeted with info-stealing malware.

DELTA is a cloud-based platform for situational awareness on the battlefield created in Ukraine to NATO requirements. It offers a real-time, comprehensive overview of the battlefield and merges all enemy data from various sensors and sources into a digital map.

The Phishing Campaign Explained

Cybercriminals used a compromised Ukrainian Ministry of Defense email account to send messages that masqueraded as warnings for users of the Delta system. The potential victims were urged to update their digital certificates in order to safely keep using the system.

The malicious email included a PDF document that appeared to bear certificate installation instructions, and links to download a ZIP archive named “certificates_rootCA.zip.”

Source

Threat actors tried to delude victims that the process was legitimate by including a simulation of certificate installation. That way chances that victims realized they were breached would have been diminished.

The archive contains a digitally signed executable named “certificates_rootCA.exe,” which, upon launch, creates several DLL files on the victim’s system and launches “ais.exe,” which simulates the certificate installation process.

Source

EXE files and the DLLs are secured with VMProtect, a reputable program used to encapsulate files in standalone virtualized machines, encrypt their content, and prevent AV analysis or detection.

According to CERT-UA, the DLLs “FileInfo.dll” and “procsys.dll,” are “FateGrab” and “StealDeal”, two types of info-stealing malware.

FTP file stealer FateGrab targets documents and emails within a large spectrum of file formats: ‘.txt’, ‘.rtf’, ‘.xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘.doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email.’

By using StealDeal threat actors manage to extract internet browsing data and passwords that were stored on the browser.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Ukrainian Organizations Infected by Russian Hacktivists

Malware vs. Ransomware: Do You Know the Difference?

What Is Mobile Email Management (MEM)?

What Is Email Security?

End-to-end Encryption (E2EE). What Is It and How It Helps

Phishing attacks explained: How it works, Types, Prevention and Statistics

10 Tips to Keep Your Data Private Online

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP