Russian Threat Actor Targets Ukraine Ministry and Polish Police in Similar Campaigns

Hackers have been using a fake version of the Ministry of Foreign Affairs of Ukraine website an attempt to trick people into downloading the software needed to "scan infected PCs on viruses," the Emergency Response Team of Ukraine (CERT-UA) has revealed.

The common denominator between a regular attack targeting consumers and an attack looking to compromise devices connecting to a ministry's website is the human component. In both situations, human negligence is the hackers' real entry point.

"If a user follows the link, the BAT file ’Protector.bat‘ will be served onto the victim's PC," CERT-UA security researchers have explained. “Leveraging powershell.exe BAT-file would download and execute several PowerShell scripts, one of which would recursively scan the Desktop folder for files with the following extensions: .edb, .ems, .eme, .emz, .key, .pem, .ovpn, .bat, .cer, .p12, .cfg, .log, .txt, .pdf, .doc, .docx, .xls, .xlsx, .rdg, aft, as well as take screenshots and exfiltrate data using HTTP. Also, Scheduled Tasks would be created for persistence purposes.”

While hackers have been focusing their attacks on Ukraine in recent years, neighboring countries have been targeted as well. Security researchers blame the same group for several other phishing websites that mimic web pages of the Security Service of Ukraine and the Polish Police.

CERT-UA says it's highly likely that Russian actors, identified as UAC-0114, aka Winter Vivern, are behind the attacks. Security researchers have published a complete list of indicators of compromise for the malware identified in the attack.