In mid-March 2022, at least three separate advanced persistent threat (APT) organizations from around the world commenced spear-phishing efforts exploiting the continuing Russo-Ukrainian conflict as bait to spread malware and steal sensitive data. The campaigns were run by El Machete, Lyceum, and SideWinder. They targeted various sectors, including finance, energy, and government in Israel, Venezuela, Saudi Arabia, Nicaragua, and Pakistan.
“The attackers use decoys ranging from official-looking documents to news articles or even job postings, depending on the targets and region,” as per a report by Check Point Research. “Many of these lure documents utilize malicious macros or template injection to gain an initial foothold into the targeted organizations, and then launch malware attacks.”
El Machete, a Spanish-speaking threat actor initially identified by Kaspersky in August 2014, uses macro-laced fake documents to spread an open-source remote access trojan named Loki.Rat across his infection chains. It is capable of capturing keystrokes, credentials, and clipboard data, as well as file manipulations and arbitrary command execution.
According to Check Point, another campaign comes from the Iranian APT gang Lyceum, which launched a phishing attack using an email about “Russian war crimes in Ukraine” to distribute first-stage .NET and Golang droppers. They are then used to install a backdoor for running files downloaded from a remote server.
A further example is SideWinder, a state-sponsored team alleged to work in support of Indian political goals, with a special focus on Pakistan and China. In this scenario, the attack sequence uses a weaponized document to spread information-stealing malware by exploiting the Equation Editor hole in Microsoft Office (CVE-2017-11882).
Similar alerts from Google’s Threat Analysis Group (TAG) revealed that state-backed threat groups from Iran, North Korea, China, and Russia, as well as a slew of other criminal and financially motivated actors, are using war-related themes in online extortion attempts, phishing campaigns, and other malicious activities.