December 21, 2022

The Ukrainian military has alerted the national cybersecurity response team to a phishing campaign whose operators plan to steal files and siphon internet browser data.

According to CERT-UA (Computer Emergency Response Team of Ukraine), the attackers utilised hacked email accounts belonging to Ministry of Defense employees, as well as chat apps, to send out messages informing recipients about the need to update Delta system certificates. The malicious emails include documents with links to archive files hosted on a fake Delta domain.

The email in question contains a malicious PDF attachment with instructions on how to do so, as well as a link to a malicious ZIP archive.

If a recipient clicks on the link, a “certificates_rootca.zip” archive containing the “certificates_rootCA.exe” executable file protected by VMProtect will be downloaded to their computer, CERT-UA said.

“After running the exe file, several DLL files, also protected by VMProtect, and an ‘ais.exe’ file simulating the certificate installation process will be created on the PC,” it added.

According to CERT-UA, the executable contained in the malicious zip file that users were urged to download from the site was also compiled and digitally signed. It ran an application simulating the certificate installation process on a Windows desktop to make the infection process appear legitimate.

Two malicious applications were launched by the malware. One, dubbed “FateGrab” by CERT-UA, searched for files associated with documents, such as Microsoft Office file extensions, as well as files such as stored PowerShell commands or script files. FTP was the threat actor’s method of exfiltration.

The sources for this piece include an article in BleepingComputer.