Sandworm Hackers From Russia Distribute Malware by Posing as Ukrainian Telecoms

Sandworm Hackers From Russia Distribute Malware by Posing as Ukrainian Telecoms

New findings reveal that a threat cluster connected to the Russian nation-state actor known as Sandworm has kept attacking Ukraine with generic malware while posing as telecom companies. Recorded Future claimed to have found a new UAC-0113 infrastructure that imitates Datagroup and EuroTransTelecom operators to distribute payloads like the Colibri loader and Warzone RAT.

According to reports, the cyberattacks targeting Ukrainian telecom companies are an extension of the same operation that previously used phishing emails with lures referencing legal help to disseminate DCRat (or DarkCrystal RAT). The disruptive Russian threat organization Sandworm is well known for carrying out assaults like the NotPetya hacks in 2017 and targeting the Ukrainian electrical system in 2015 and 2016. Unit 74455 of the Russian GRU military intelligence service has been positively identified.

The antagonistic group, also known as Voodoo Bear, attempted to harm computers, networking hardware, and high-voltage electrical substations in Ukraine for the third time in April using a new variation of the malware called Industroyer. The gang has also launched many additional attacks in response to Russia’s invasion of Ukraine, including the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to compromise media organizations in the Eastern European country.

Additionally, it was identified as the brains of Cyclops Blink, a new modular botnet that enslaved WatchGuard and ASUS routers and internet-connected firewall systems. For its part, the U.S. government has offered prizes of up to $10 million for information leading to the arrest of six APT group-affiliated hackers who participated in harmful cyberattacks against the nation’s critical infrastructure.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” Recorded Future said.Sandworm Hackers From Russia Distribute Malware by Posing as Ukrainian Telecoms
New findings reveal that a threat cluster connected to the Russian nation-state actor known as Sandworm has kept attacking Ukraine with generic malware while posing as telecom companies. Recorded Future claimed to have found a new UAC-0113 infrastructure that imitates Datagroup and EuroTransTelecom operators to distribute payloads like the Colibri loader and Warzone RAT.

According to reports, the cyberattacks targeting Ukrainian telecom companies are an extension of the same operation that previously used phishing emails with lures referencing legal help to disseminate DCRat (or DarkCrystal RAT). The disruptive Russian threat organization Sandworm is well known for carrying out assaults like the NotPetya hacks in 2017 and targeting the Ukrainian electrical system in 2015 and 2016. Unit 74455 of the Russian GRU military intelligence service has been positively identified.

The antagonistic group, also known as Voodoo Bear, attempted to harm computers, networking hardware, and high-voltage electrical substations in Ukraine for the third time in April using a new variation of the malware called Industroyer. The gang has also launched many additional attacks in response to Russia’s invasion of Ukraine, including the Follina vulnerability (CVE-2022-30190) in the Microsoft Windows Support Diagnostic Tool (MSDT) to compromise media organizations in the Eastern European country.

Additionally, it was identified as the brains of Cyclops Blink, a new modular botnet that enslaved WatchGuard and ASUS routers and internet-connected firewall systems. For its part, the U.S. government has offered prizes of up to $10 million for information leading to the arrest of six APT group-affiliated hackers who participated in harmful cyberattacks against the nation’s critical infrastructure.

“A transition from DarkCrystal RAT to Colibri Loader and Warzone RAT demonstrates UAC-0113’s broadening but continuing use of publicly available commodity malware,” Recorded Future said.

Attacks involve phishing domains to host a website purporting to be about the “Odesa Regional Military Administration,” while HTML smuggling is used to deliver an encoded ISO image payload covertly. The elusive malware distribution method known as HTML smuggling uses regular HTML and JavaScript elements to spread malware and bypass standard security measures. Another HTML dropper attachment used by the APT29 threat actor in a campaign against Western diplomatic posts in May and June 2022, according to Recorded Future, shares characteristics with this one.

Three files, including an LNK file that deceives the victim into starting the infection process, are contained within the ISO file, which was produced on August 5, 2022. It causes the installation of the Warzone RAT as well as the Colibri loader on the target system. An application for Ukrainian nationals to receive financial compensation and gasoline savings is launched during the execution of the LNK file to hide harmful activities.

Attacks involve phishing domains to host a website purporting to be about the “Odesa Regional Military Administration,” while HTML smuggling is used to deliver an encoded ISO image payload covertly. The elusive malware distribution method known as HTML smuggling uses regular HTML and JavaScript elements to spread malware and bypass standard security measures. Another HTML dropper attachment used by the APT29 threat actor in a campaign against Western diplomatic posts in May and June 2022, according to Recorded Future, shares characteristics with this one.

Three files, including an LNK file that deceives the victim into starting the infection process, are contained within the ISO file, which was produced on August 5, 2022. It causes the installation of the Warzone RAT as well as the Colibri loader on the target system. An application for Ukrainian nationals to receive financial compensation and gasoline savings is launched during the execution of the LNK file to hide harmful activities.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.

Share: