The Ukrainian Computer Emergency Response Team (CERT-UA) has revealed a new set of cyberattacks targeting Ukrainian agencies using information-stealing malware.
The activity aims to military formations, law enforcement agencies and local autonomous organizations, particularly local autonomous organizations located near the eastern border of Ukraine.
The attack involves distributing phishing emails with macro-enabled Microsoft Excel spreadsheets (XLSM). This decorates the PowerShell script (“PowerShell script with 100% AV bypass”) taken from the PSSW100AVB when opening the two malwell deployments when opening the Github Option Option a reverses a sted a sted a sted a sted a sted a sted a sted a sthed swres.
“There are related and sensitive issues, including reference to file names and email subjects, related fines, administrative fines, production of UAVs, and compensation for destroyed property,” Cert-UA said.
“These spreadsheets contain malicious code that automatically converts to malware when you open a document and enable macros, and runs without the knowledge of the user.”
GiftedCrook written in C/C++ promotes theft of sensitive data from web browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox, including cookies, browsing history, and authentication data.
Email messages are often sent from compromised accounts through the email client’s web interface, lending a veneer of legitimacy to the message, ensuring future victims open the document. CERT-UA is not linked to a particular country but attributes activity to threat cluster UAC-0226.
The development is because the actor, known as UNC5837, suspected of espionage between the Russian and Nexus, was linked to a phishing campaign in October 2024 targeting European governments and military organizations.
“The campaign is to adopt a signed .RDP file attachment to establish a Remote Desktop Protocol (RDP) connection from the victim’s machine,” says Google Threat Intelligence Group (GTIG).
“Unlike the typical RDP attacks focusing on interactive sessions, this campaign creatively leveraged resource redirection (mapping victim file systems to attacker servers) and remote up (presenting attacker-controlled applications to victims).”
It is worth noting that the RDP campaign was previously documented by CERT-UA, Amazon Web Services, and Microsoft in October 2024, and then by Trend Micro in December. CERT-UA tracks the activity under the name UAC-0215, but others are attributed to the hacking group APT29, sponsored by the Russian state.
The attack is also well known to use an open source tool called PYRDP to automate malicious activities such as file removal and clipboard capture that contain potentially sensitive data such as passwords.
“The campaign allows attackers to read the victim’s drive, steal files, capture clipboard data (including passwords), and retrieve victim environment variables,” GTIG said in a report Monday. “The main objectives of UNC5837 seem to be espionage and file stealing.”
Over the past few months, phishing campaigns have also been observed distributing Legion Loader (Satacom) using fake Captchas and Cloudflare Turnstile.
“The initial payload spreads through a drive-by download infection that begins when the victim searches for a specific document and is seduced by a malicious website,” Netskope Threat Labs said. “The downloaded document includes Captcha, which, when the victim clicks, redirects to CloudFlare Turnstile Captcha and ultimately redirects to the notification page.”
This page encourages users to allow notifications on the site. The victim is then redirected to a second CloudFlare TurnStile Captcha.
In reality, the attack paves the way for delivery and execution of the MSI installer files responsible for starting the Legion Loader. This will take a series of steps to download and run the interim PowerShell script, and eventually add the Rogue browser extension to your browser.
The PowerShell script will exit the browser session to enable the extension, turn on developer mode in Settings, and reissue the browser. The ultimate goal is to capture a wide range of sensitive information and eliminate it to the attacker.
