TLDR:
Ukraine’s CERT-UA has warned of a new phishing campaign targeting government computers, distributing malware for remote desktop access. The attack involves mass emails with ZIP files containing malware, including ANONVNC based on MeshAgent. This comes as the agency also warns of other malware and phishing attacks targeting users’ credentials.
Article Summary:
The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a new phishing campaign targeting government computers in Ukraine. The campaign, named UAC-0198, disguises itself as the Security Service of Ukraine and distributes malware capable of remote desktop access. This attack has already infected over 100 computers, including those belonging to government bodies in the country. The method used in this attack involves sending mass emails with ZIP archive files containing an MSI installer file that deploys malware named ANONVNC. This malware is based on an open-source tool called MeshAgent and allows unauthorized access to infected hosts.
In addition to this campaign, CERT-UA has linked other threats to hacking groups UAC-0102 and UAC-0057. UAC-0102 is responsible for phishing attacks using HTML attachments that mimic the login page of UKR.NET to steal users’ credentials. Meanwhile, UAC-0057 has been distributing the PicassoLoader malware with the goal of deploying Cobalt Strike Beacon on compromised systems. It is suggested that the targets of UAC-0057 could be specialists of project offices and employees of local governments in Ukraine.
Overall, the warning from CERT-UA highlights the ongoing cybersecurity threats faced by government entities and individuals in Ukraine. It underscores the importance of vigilance and robust cybersecurity measures to protect against phishing campaigns and malware attacks.