People in Ukraine are being warned about a new wave of cyberattacks that are aimed at getting into their Telegram accounts.
To get into the records, the criminals sent messages with malicious links to the Telegram site, which allowed them to send a one-time code from a text message, Ukraine's State Service of Special Communication and Information Protection warned.
The attacks, which have been linked to a threat cluster called "UAC-0094," start with Telegram messages that tell recipients that a new login has been detected from a device in Russia and ask them to click on a link to confirm their accounts.
People who click on the URL, which turns out to be a phishing site, are asked to enter their phone numbers and one-time passwords sent by text message. The threat actors then use these to take over the accounts.
The same method was used in an earlier phishing attack that was revealed in early March. It used inboxes that had been hacked by Indian entities to send phishing emails to users of Ukr.net, stealing their accounts.
In another social engineering campaign that Ukraine's Computer Emergency Response Team (CERT-UA) saw, war-themed emails were sent to Ukrainian government agencies to get them to download malware that was meant to spy on them.
An HTML file attachment called "War Criminals of the Russian Federation.htm" is sent with the emails. When the file is opened, a PowerShell-based implant is downloaded and installed on the infected host.
As of at least 2013, Ukraine has been hit by attacks from Armageddon, which is a Russian group with ties to the Federal Security Service (FSB). This is not the first time Armageddon has targeted Ukraine.
In February 2022, the hacking group was linked to espionage attacks on government, military, non-government organizations (NGOs), judiciary, law enforcement, and non-profit organizations. The group's main goal was to get sensitive information out of these groups.
As part of a similar phishing attack at the end of March 2022, Armageddon, also known as Gamaredon, is thought to have targeted Latvian government officials. They used war-themed RAR archives to send malware.
Other phishing campaigns that CERT-UA has seen recently have used malware like GraphSteel, GrimPlant, HeaderTip, LoadEdge, and SPECTR, as well as a Ghostwriter-led operation to install the Cobalt Strike post-exploitation framework.
It comes as a number of advanced persistent threat (APT) groups from Iran, China, North Korea, and Russia that have used the ongoing conflict between Russia and Ukraine as a pretext to backdoor victim networks and carry out other crimes.
Post a Comment
Your suggestions and comments are welcome