Ukraine’s computer emergency response team, CERT-UA, has identified a cyber-espionage campaign targeting an undisclosed government agency in Ukraine.
A threat actor identified by researchers as UAC-0063 “has also shown interest” in targeting Mongolia, Kazakhstan, Kyrgyzstan, Israel and India, according to the report published on Monday.
Researchers initially detected activity associated with UAC-0063 in 2021, but the group’s origins remain unclear. The goal of its attacks, according to CERT-UA, is gathering intelligence.
In their most recent campaign in April, hackers used a compromised email account from the Embassy of Tajikistan in Ukraine to send a malicious email to the Ukrainian government agency.
The email claimed to be an invitation to a supposed meeting with the embassy, but its actual purpose was to infect the recipient with malicious programs. The CERT-UA team labeled them as:
- LOGPIE — a keylogger that captures and logs every keystroke, including passwords, usernames, messages, and other sensitive information entered by the user.
- CHERRYSPY — a backdoor that executes Python code received from a management server.
- STILLARCH — malware used to find and exfiltrate files.
To make their attacks more difficult to investigate and attribute, the hackers used the PyArmor and Themida software tools, which protect programs from reverse engineering, unauthorized access and code theft.
To minimize the impact of the attack from this group, CERT-UA advises organizations to restrict users’ execution of the Windows utility “mshta.exe,” as well as the Windows Script Host applications “wscript.exe” and “cscript.exe,” along with the Python interpreter.
Cybersecurity researchers are tracking several cyber-espionage campaigns aimed at Ukraine. In February, analysts at Symantec said a group labeled as Nodaria or UAC-0056 was using malware known as Graphiron against targets in Ukraine.
Source: The Record