According to the Computer Emergency Response Team of Ukraine (CERT-UA), fraudulent emails purporting to give instructions on how to upgrade Windows as a protection against cyberattacks are being sent to various government organizations in the nation by Russian hackers. CERT-UA thinks that to more easily fool their targets, the Russian state-sponsored hacking outfit APT28 (also known as Fancy Bear) sent these emails and pretended to be the system administrators of the targeted governmental organizations.
In order to do this, the attackers used genuine employee identities that they had obtained through unidentified ways during the attack’s planning phases to construct @outlook.com email accounts. The malicious emails direct the recipients to execute a PowerShell operation in place of actual instructions on updating Windows computers. This program simulates a Windows update procedure by downloading a PowerShell script to the PC while simultaneously downloading a second PowerShell payload in the background.
The second-stage payload is a straightforward information-gathering tool that makes use of the “tasklist” and “systeminfo” commands to collect information and transmit it to a Mocky service API via an HTTP request. Mocky is a special program that enables users to create unique HTTP replies; nevertheless, in this instance, APT28 exploited it to exfiltrate data. System administrators should prevent important machines from starting PowerShell and keep an eye on network traffic for calls to the Mocky service API, advises CERT-UA.
According to a recent analysis by Google’s Threat Analysis Group, APT28 was a significant contributor to the phishing attacks against Ukraine in the first quarter of 2023, accounting for around 60% of all emails that contained malicious attachments. APT28 was actively using a zero-day vulnerability affecting Cisco’s routers to spread the malware known as “Jaguar Tooth” to gather intelligence from US and EU-based targets, US and UK intelligence services, and Cisco warned earlier this month.
Microsoft fixed the CVE-2023-23397 Outlook zero-day vulnerability that APT28 has been using since April 2022 to infiltrate the networks of European governmental, military, energy, and transportation companies. The vulnerability was patched by Microsoft in March 2023. It’s interesting to note that in assaults against Russian government organizations last year, Chinese hackers similarly lured victims using Windows upgrades before dropping malicious executables.