Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Hackers used an email account belonging to the Ukrainian Ministry of Defense for launching a phishing campaign against DELTA. On December 18th, CERT-UA (Computer Emergency Response Team of Ukraine) warned that the DELTA military system was targeted with info-stealing malware.
DELTA is a cloud-based platform for situational awareness on the battlefield created in Ukraine to NATO requirements. It offers a real-time, comprehensive overview of the battlefield and merges all enemy data from various sensors and sources into a digital map.
The Phishing Campaign Explained
Cybercriminals used a compromised Ukrainian Ministry of Defense email account to send messages that masqueraded as warnings for users of the Delta system. The potential victims were urged to update their digital certificates in order to safely keep using the system.
The malicious email included a PDF document that appeared to bear certificate installation instructions, and links to download a ZIP archive named “certificates_rootCA.zip.”
.png)
Threat actors tried to delude victims that the process was legitimate by including a simulation of certificate installation. That way chances that victims realized they were breached would have been diminished.
The archive contains a digitally signed executable named “certificates_rootCA.exe,” which, upon launch, creates several DLL files on the victim’s system and launches “ais.exe,” which simulates the certificate installation process.
EXE files and the DLLs are secured with VMProtect, a reputable program used to encapsulate files in standalone virtualized machines, encrypt their content, and prevent AV analysis or detection.
According to CERT-UA, the DLLs “FileInfo.dll” and “procsys.dll,” are “FateGrab” and “StealDeal”, two types of info-stealing malware.
FTP file stealer FateGrab targets documents and emails within a large spectrum of file formats: ‘.txt’, ‘.rtf’, ‘.xls’, ‘.xlsx’, ‘.ods’, ‘.cmd’, ‘.pdf’, ‘.vbs’, ‘.ps1’, ‘.one’, ‘.kdb’, ‘.kdbx’, ‘.doc’, ‘.docx’, ‘.odt’, ‘.eml’, ‘.msg’, ‘.email.’
By using StealDeal threat actors manage to extract internet browsing data and passwords that were stored on the browser.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.
